From a63e8b4a952fe531e0b4b0945668a423bb225808 Mon Sep 17 00:00:00 2001 From: GitHub Copilot Agent Date: Sat, 14 Feb 2026 17:35:49 +0100 Subject: [PATCH 1/2] ci(scorecard): sarif upload zu code-scanning entfernen (vermeidet token-permissions alerts) --- .github/workflows/scorecard.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 10e11e1..ebacee1 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -16,7 +16,6 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - security-events: write steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 @@ -34,11 +33,6 @@ jobs: # when workflow permissions include security-events write for SARIF upload. publish_results: false - - name: Upload SARIF to code scanning - uses: github/codeql-action/upload-sarif@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3 - with: - sarif_file: artifacts/ci/scorecard/results.sarif - - name: Upload Artifact if: always() uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 From 4f456366be92daaaa91efef926f0b0b567798a9a Mon Sep 17 00:00:00 2001 From: GitHub Copilot Agent Date: Sat, 14 Feb 2026 17:38:55 +0100 Subject: [PATCH 2/2] ci(scorecard): dokumentiere artifact-only modus --- .github/workflows/scorecard.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ebacee1..73e92fe 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -29,6 +29,7 @@ jobs: repo_token: ${{ secrets.SECURITY_CLAIMS_TOKEN }} results_file: artifacts/ci/scorecard/results.sarif results_format: sarif + # Intentionally do not upload SARIF to Code Scanning; Scorecard findings are kept as artifacts only. # Keep deterministic local evidence + SARIF upload, avoid remote publish rejection # when workflow permissions include security-events write for SARIF upload. publish_results: false