Closed tico88612 closed 5 months ago
@tico88612 was there any reason not to use https://github.com/actions/upload-artifact/releases/tag/v4.3.1 here?
Was this the main issue behind the failure? Can you please confirm this one?
was there any reason not to use https://github.com/actions/upload-artifact/releases/tag/v4.3.1 here?
This part follows the new GitHub workflow template (ossf/scorecard-action
) and has no particular reason.
Was this the main issue behind the failure? Can you please confirm this one?
The main issue is ossf/scorecard-action
's dependency suite sigstore/cosign
, sigstore/cosign
releases a new TUF trust root, and the client has to be updated to 2.2.0 or above.
The release note of ossf/scorecard-action
doesn't specify the update, but according to go.mod
, it should be updated to 2.3.0 or above.
Fixed #420