26468333414
95%

Ran 26 May 2026 06:55PM UTC

Jobs 1

Files 88

Run time 1min

Badge

Embed ▾

Committed 26 May 2026 06:49PM UTC coverage: 95.243%. Remained the same

Build # 26468333414

Build Type

push

github

Committed by

web-flow

Commit Message

fix(ci): correct codeql-action/upload-sarif SHA in scorecard.yml (#506)

The SHA pinned by #502 (051e2f9…) does not exist in
github/codeql-action — GitHub returns 422 No commit found. The
actual v3.36.0 tag resolves to 03e4368a….

The bogus SHA only manifested at scorecard.dev's webapp publish
step, not at GitHub Actions resolution time:

- The Run analysis step (ossf/scorecard-action docker container)
  posts a sigstore-signed bundle to scorecard.dev. The webapp
  pulls the calling workflow file and runs an imposter-commit
  check on every `uses:` reference (app/server/github_verifier.go:
  100 most-recent tags → default branch reachability → up to 10
  release branches). 051e2f9… fails all three because it isn't
  in the repo at all, and the webapp returns HTTP 400.
- The Upload to code-scanning step itself never ran (skipped
  because Run analysis exit-coded on the publish failure), so
  the runner's own uses:-resolution would not have caught the
  mismatch on its own.

Net effect since #502: badge/score on scorecard.dev have not
updated, and SARIF upload to GitHub code-scanning is silently
skipped on every push to main — degrading the SAST signal
feeding the next Scorecard run.

Found by inspecting the failing run on commit f4b3abf:
https://github.com/prisma-risk/tsoracle/actions/runs/26467449997/job/77931456638

Coverage Stats

13414 of 14084 relevant lines covered (95.24%)

412452.82 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	26468333414.1	26 May 2026 06:55PM UTC	88	95.24	GitHub Action Run

prisma-risk / tsoracle / 26468333414
95%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26468333414

prisma-risk / tsoracle / 26468333414 95%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26468333414

prisma-risk / tsoracle / 26468333414
95%

README BADGES
x