From 48f76694f819b7f150f856b68993b2c65e4cc13b Mon Sep 17 00:00:00 2001
From: Byron Williams <byronawilliams@gmail.com>
Date: Mon, 11 May 2026 07:16:35 -0700
Subject: [PATCH] fix(scorecard): pin shared workflow to SHA instead of
 floating @main

Replaces the floating @main ref with the explicit commit SHA
f05c26a424a708a73fc445a0ebb5b3ce476c1793 of ByronWilliamsCPA/.github.
This SHA hard-codes publish_results: false, fixing the OIDC token
repository claim bug. Pinning to a SHA also eliminates the supply-chain
risk of silent behavior changes on future commits to .github main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/scorecard.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 869ef28..efcb403 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -26,7 +26,7 @@ permissions:
 
 jobs:
   scorecard:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@f05c26a424a708a73fc445a0ebb5b3ce476c1793
     with:
       publish-results: true
       upload-sarif: true