Update workflow action pins to latest versions (#6)

BradWhittington · web-flow · commit fff77e5692c5 · 2026-04-03T08:10:49.000+02:00
bump actions/download-artifact in the Upload Scorecard SARIF job from v5.0.0 to v8.0.1 (Node 24-compatible)

bump ossf/scorecard-action from v2.4.1 to v2.4.3 in the analysis job
keep the rest of the workflow behavior unchanged
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -37,7 +37,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -79,7 +79,7 @@ jobs:
 
     steps:
       - name: "Download artifact"
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: SARIF file
           path: scorecard-artifacts
