fix(scorecard): remove self-scorecard job that fails publish verification

[williaby]

Summary

• Removes the duplicate self-scorecard job from .github/workflows/scorecard.yml.
• The reusable scorecard job (calling python-scorecard.yml) continues to publish to the scorecard.dev dashboard.

Why this failed on main

The self-scorecard job invokes ossf/scorecard-action with publish_results: true. The publishing webapp verifies the workflow file before accepting the SARIF, and one of its mandatory restrictions is that the job may only contain uses: steps. This job had two run: steps (a SCORECARD_TOKEN presence check and a step-summary writer), so the publish call returned:

```
http response 400, status: 400 Bad Request,
{"code":400,"message":"workflow verification failed: scorecard job must only have steps with `uses`, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}
```

Failing run: https://github.com/ByronWilliamsCPA/.github/actions/runs/26477814929

Why deletion is the right fix

The sibling scorecard job already calls the org-level reusable python-scorecard.yml workflow, which publishes successfully. The self-scorecard job was a defensive duplicate that could never have published with those run: steps in place. Removing it eliminates the failing required check without losing dashboard coverage.

Test plan

• yamllint passes on the new file
• pre-commit (full hook chain) passes
• CI on this PR: OpenSSF Scorecard shows only the Scorecard Analysis job and it passes
• After merge: next push to main no longer fails the OpenSSF Scorecard required check

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Streamlined OpenSSF Scorecard security scanning workflow to use centralized organization-level configuration for improved consistency and efficiency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 838c0064-0da6-43ef-a9ad-9d01979d0149

📥 Commits

Reviewing files that changed from the base of the PR and between d7a5f16 and 42001db.

📒 Files selected for processing (1)

• .github/workflows/scorecard.yml

💤 Files with no reviewable changes (1)

• .github/workflows/scorecard.yml

---

📝 Walkthrough

Walkthrough

The PR refactors the Scorecard workflow to delegate OpenSSF Scorecard execution from an in-repo job to a centralized reusable org-level workflow. The inline self-scorecard job and its constituent steps are removed and replaced with a scorecard job that calls the python-scorecard.yml reusable workflow with appropriately scoped permissions.

Changes

Scorecard Workflow Delegation

Layer / File(s)	Summary
Scorecard workflow delegation .github/workflows/scorecard.yml	The in-repo self-scorecard job is replaced with a scorecard job that delegates to the reusable python-scorecard.yml workflow using a pinned reference, with permissions scoped to security-events: write, contents: read, and actions: read.

Possibly related PRs

• ByronWilliamsCPA/.github#80: Both PRs adjust the Scorecard workflow delegation to the reusable python-scorecard.yml, aligning permission and invocation behavior.
• ByronWilliamsCPA/.github#47: The reusable python-scorecard.yml workflow referenced in this PR was refactored in that PR to add min-score and gated SARIF score evaluation.

Poem

🐰 The scorecard hops to the shared workspace,
Where Python workflows keep the pace,
No duplication in our trace,
Just delegation, clean and bright—
One truth of Scorecard, done right! ✨

---

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description lacks required template sections including Related Issue, Type of Change, Changes Made, Testing, and Checklist sections.	Fill in the missing template sections: link the related issue, mark 'CI/CD update' under Type of Change, add a Changes Made list, and complete the Checklist items.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: removing a non-functional scorecard job that was causing publish verification failures.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/fix-scorecard-self-job-0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR updates the repository’s OpenSSF Scorecard workflow to eliminate a failing duplicate job, leaving a single job that delegates analysis to the org-level reusable workflow.

Changes:

• Removes the self-scorecard job from .github/workflows/scorecard.yml to avoid Scorecard publish verification failures caused by run: steps.
• Keeps the existing reusable-workflow based scorecard job as the only Scorecard job in this workflow.