26484917715
95%

Ran 27 May 2026 01:25AM UTC

Jobs 1

Files 89

Run time 1min

Badge

Embed ▾

Committed 27 May 2026 01:19AM UTC coverage: 94.974%. Remained the same

Build # 26484917715

Build Type

push

github

Committed by

web-flow

Commit Message

chore(scorecard): annotate SLSA generator pin exemption (remediated) (#538)

release-sign.yml:184 references the SLSA reusable workflow by tag,
not by SHA: the upstream generator's generate-builder.sh parses the
calling ref as refs/tags/vX.Y.Z and exits "Invalid ref: <sha>" when
SHA-pinned (5fbdb68 walked back the failed SHA-pin attempt and the
call site carries an inline comment block).

Integrity is anchored upstream by the hardcoded SHA256 of the
generator binary baked into the workflow at each tagged release,
and the generator is itself SLSA-attested. Every other third-party
action across .github/workflows/ is SHA-pinned.

The annotation surfaces the rationale to downstream consumers
(scorecard.dev, deps.dev, code-scanning SARIF). It does not change
the numerical Pinned-Dependencies score; scorecard annotations are
documentary by design.

Validated by parsing the file through ossf/scorecard/v5/config.Parse(),
the same code path the GitHub Action runs.

Signed-off-by: Sebastian Thiebaud <sebastian@prismarisk.com>

Coverage Stats

13511 of 14226 relevant lines covered (94.97%)

425115.62 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	26484917715.1	27 May 2026 01:25AM UTC	89	94.97	GitHub Action Run

prisma-risk / tsoracle / 26484917715
95%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26484917715

prisma-risk / tsoracle / 26484917715 95%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26484917715

prisma-risk / tsoracle / 26484917715
95%

README BADGES
x