ci: redistribute canonical scorecard.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122)

hyperpolymath · hyperpolymath · commit 82f041493380 · 2026-05-18T12:06:29.000+01:00
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -1,12 +1,11 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
-name: OpenSSF Scorecard
-
+# SPDX-License-Identifier: PMPL-1.0
+name: OSSF Scorecard
 on:
-  branch_protection_rule:
-  schedule:
-    - cron: '0 0 * * 2' # Weekly on Tuesday
   push:
-    branches: [ main ]
+    branches: [main, master]
+  schedule:
+    - cron: '0 4 * * *'
+  workflow_dispatch:
 
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
@@ -21,25 +20,22 @@ permissions:
 
 jobs:
   analysis:
-    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
       security-events: write
       id-token: write
     steps:
-      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
-          publish_results: true
 
-      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8
         with:
           sarif_file: results.sarif
