OpenSSF Scorecard publish_results — why the jq filter needs its own job

PR #2152 added a run: jq step to the Scorecard job to de-noise npm/pip findings. The merge passed CI but the post-merge Scorecard run on main failed: publish_results: true verifies the workflow and rejects any job that runs Scorecard if it contains a non-approved step. Toggle below to see the failure and the two-job fix.

① Single job PUBLISH 400

job: analysis  (contains ossf/scorecard-action → verified)
uses actions/checkout
uses ossf/scorecard-action  publish_results: true
run jq … filter SARIF  ⚠️ not approved
uses codeql/upload-sarif

② Two jobs (this PR) PUBLISH OK

job: analysis  (verified → uses-only)
uses actions/checkout
uses ossf/scorecard-action  publish_results: true
uses actions/upload-artifact  (raw results.sarif)
▼ artifact
job: upload  (no scorecard-action → unrestricted)
uses actions/download-artifact
run jq … filter SARIF  ✅ allowed here
uses codeql/upload-sarif  (filtered)


  
Approved steps in a publishing Scorecard job: actions/checkout, ossf/scorecard-action, actions/upload-artifact, github/codeql-action/upload-sarif, step-security/harden-runner — and nothing else. A run: step trips workflow verification failed: scorecard job must only have steps with `uses`. The fix moves the filter into a dependent job; the public OpenSSF score is unaffected because publish_results uploads the unfiltered result upstream from the analysis job.