Skip to content

ci(scorecard): stop uploading SARIF to code scanning#96

Merged
peczenyj merged 1 commit into
develfrom
ci/scorecard-no-codescanning-upload
May 29, 2026
Merged

ci(scorecard): stop uploading SARIF to code scanning#96
peczenyj merged 1 commit into
develfrom
ci/scorecard-no-codescanning-upload

Conversation

@peczenyj
Copy link
Copy Markdown
Owner

@peczenyj peczenyj commented May 29, 2026

What

Remove the Upload to code-scanning step from scorecard.yml, drop the now-unused security-events: write permission, and clean a dead pull_request clause in the job if.

Why

Scorecard only runs on the default branch (push/schedule/branch-protection), so the supply-chain/* code-scanning configurations it creates on devel have no counterpart on PR heads. GitHub can't compute the alert diff and emits this on every PR:

Code scanning cannot determine the alerts introduced by this pull request, because 1 configuration present on refs/heads/devel was not found

plus a neutral CodeQL / skipping check. CodeQL itself is healthy (Analyze (go)/Analyze (actions) pass).

Impact

  • Badge unaffectedpublish_results: true still publishes to the OpenSSF API.
  • Scorecard findings still available as a SARIF artifact and on https://scorecard.dev/viewer/?uri=github.com/peczenyj/structalign — they just leave the GitHub Security tab.
  • Least-privilege: security-events: write was only needed for the removed upload.

Closes #95

🤖 Generated with Claude Code

@peczenyj @claude
ci(scorecard): stop uploading SARIF to code scanning
921e525 
Scorecard runs only on the default branch (push/schedule/branch-
protection), so the supply-chain/* code-scanning configurations it
creates on devel have no counterpart on PR heads. GitHub then can't
diff them and emits "Code scanning cannot determine the alerts
introduced by this pull request, because 1 configuration ... was not
found" on every PR, plus a neutral "CodeQL / skipping" check.

Drop the code-scanning upload step (it's optional). Results still go to
the OpenSSF API (publish_results: true -> badge unaffected) and to a
SARIF artifact; view them on scorecard.dev. Also drop the now-unused
security-events: write permission (least-privilege) and a dead
pull_request clause in the job `if` (there is no pull_request trigger).

Closes #95

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@peczenyj peczenyj merged commit 5676d7a into devel May 29, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scorecard SARIF upload triggers a spurious code-scanning warning on every PR

1 participant

@peczenyj