Fix broken codeql-action SHA in scorecard workflow

[joereyna]

Summary

The scorecard workflow was failing with:

Unable to resolve action github/codeql-action/upload-sarif@c10b806170c8ee63ea24152429041b5624f0baf5

The SHA was invalid. Updated to the correct immutable SHA for v4.35.1.

Test plan

• Scorecard workflow passes on next scheduled or push run

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Apr 3, 2026 6:38pm

[greptile-apps]

Greptile Summary

This PR fixes a broken SHA pin in the scorecard.yml GitHub Actions workflow. The github/codeql-action/upload-sarif step was referencing an invalid commit SHA (c10b806170c8ee63ea24152429041b5624f0baf5), causing the scorecard workflow to fail with an "Unable to resolve action" error. The fix updates the SHA to c10b8064de6f491fea524254123dbe5e09572f13, which is described as the correct immutable commit hash for the v4.35.1 release tag.

• The change is a single-line update to .github/workflows/scorecard.yml
• The version comment (# v4.35.1) is kept unchanged, only the commit SHA is corrected
• All other pinned SHAs in the workflow (actions/checkout, ossf/scorecard-action, actions/upload-artifact) remain untouched
• No application code is affected; this is a CI/security tooling fix only

Confidence Score: 5/5

This PR is safe to merge — it is a minimal, targeted fix to a broken action SHA with no impact on application code.

The change is a single-line correction to a CI workflow file, fixing an invalid SHA that was causing the scorecard run to fail outright. There are no logic changes, no tests modified, and no application code touched. All remaining action pins in the file continue to follow the correct immutable-SHA pattern. No custom rules are violated.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/scorecard.yml	Single-line fix updating the broken commit SHA for github/codeql-action/upload-sarif to the correct hash for v4.35.1, restoring the scorecard workflow.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Scorecard Workflow Trigger\nschedule / push to main] --> B[Checkout code\nactions/checkout@v4.2.2]
    B --> C[Run Scorecard analysis\nossf/scorecard-action@v2.4.1]
    C --> D[Upload SARIF artifact\nactions/upload-artifact@v4.6.1]
    D --> E[Upload to Code Scanning\ngithub/codeql-action/upload-sarif]
    E --> F[GitHub Security Dashboard]

    style E fill:#d4edda,stroke:#28a745
    E -.->|Old broken SHA\nc10b806170c8...| G[❌ Unable to resolve action]
    E -.->|New fixed SHA\nc10b8064de6f...| F

Loading

_{Reviews (3): Last reviewed commit: "Fix broken codeql-action SHA in scorecar..." | Re-trigger Greptile}

[codspeed-hq]

Merging this PR will not alter performance

✅ 16 untouched benchmarks

---

_{Comparing joereyna:feat/re-add-codecov-ci (6cc56f5) with main (d4a3a5e)}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!