Closed tico88612 closed 5 months ago
kranurag7
commented
5 months ago @tico88612 was there any reason not to use https://github.com/actions/upload-artifact/releases/tag/v4.3.1 here?
Was this the main issue behind the failure? Can you please confirm this one?
tico88612
commented
5 months ago was there any reason not to use https://github.com/actions/upload-artifact/releases/tag/v4.3.1 here?
This part follows the new GitHub workflow template (ossf/scorecard-action) and has no particular reason.
Was this the main issue behind the failure? Can you please confirm this one?
The main issue is ossf/scorecard-action's dependency suite sigstore/cosign, sigstore/cosign releases a new TUF trust root, and the client has to be updated to 2.2.0 or above.
The release note of ossf/scorecard-action doesn't specify the update, but according to go.mod, it should be updated to 2.3.0 or above.
Fixed #420