From ec05dd5f0481c2de3a41a554adf3c52a6a2a9bb6 Mon Sep 17 00:00:00 2001
From: Terry Howe <thowe@nvidia.com>
Date: Fri, 27 Mar 2026 07:45:43 +0100
Subject: [PATCH] fix: pin codeql-action/upload-sarif to commit SHA in
 scorecards workflow

Pin the remaining unpinned GitHub Action reference to a full commit SHA,
matching the pinning convention already used across other workflows in
this repository. Aligns with the Kubernetes GitHub Actions security policy.

Signed-off-by: George Jenkins <gvjenkins@gmail.com>
---
 .github/workflows/scorecards.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index a4edf1a1e..16780dfc0 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -64,6 +64,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1
         with:
           sarif_file: results.sarif