① Single job PUBLISH 400
job: analysis (contains
ossf/scorecard-action → verified)uses actions/checkout
uses ossf/scorecard-action publish_results: true
run jq … filter SARIF ⚠️ not approved
uses codeql/upload-sarif
② Two jobs (this PR) PUBLISH OK
job: analysis (verified → uses-only)
uses actions/checkout
uses ossf/scorecard-action publish_results: true
uses actions/upload-artifact (raw results.sarif)
▼ artifact
job: upload (no scorecard-action → unrestricted)
uses actions/download-artifact
run jq … filter SARIF ✅ allowed here
uses codeql/upload-sarif (filtered)
Approved steps in a publishing Scorecard job:
actions/checkout, ossf/scorecard-action, actions/upload-artifact,
github/codeql-action/upload-sarif, step-security/harden-runner — and nothing else.
A run: step trips workflow verification failed: scorecard job must only have steps with `uses`.
The fix moves the filter into a dependent job; the public OpenSSF score is unaffected because
publish_results uploads the unfiltered result upstream from the analysis job.