From 7025480397d8b6b7fd8cdb5e083dc37b62dbd3d8 Mon Sep 17 00:00:00 2001
From: Terry Howe <thowe@nvidia.com>
Date: Fri, 27 Mar 2026 07:45:43 +0100
Subject: [PATCH] fix: pin codeql-action/upload-sarif to commit SHA in
 scorecards workflow

Pin the remaining unpinned GitHub Action reference to a full commit SHA,
matching the pinning convention already used across other workflows in
this repository. Aligns with the Kubernetes GitHub Actions security policy.

Signed-off-by: Terry Howe <thowe@nvidia.com>
---
 .github/workflows/scorecards.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index d2bf4e56a..a4dc71bcd 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -64,6 +64,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
         with:
           sarif_file: results.sarif