From 0e533d6e76047ba61432af772172e354d70323a0 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 3 Jun 2026 16:48:11 +0530
Subject: [PATCH] fix: trigger scorecard on default branch events, not releases

The OSSF Scorecard action only supports the repository default branch.
Triggering on release (created) runs against the tag ref (e.g.
2.3.0-rc.1) and fails with 'only default branch is supported',
breaking every RC/release.

Switch to the OSSF-recommended triggers: push to main, a weekly
schedule, and branch_protection_rule changes.
---
 .github/workflows/scorecard.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 03715b1b..d42cbc11 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -10,9 +10,17 @@
 
 name: Scorecard supply-chain security
 
+# Scorecard only supports the repository's default branch. Release/tag events
+# check out a tag ref and fail with "only default branch is supported", so we
+# trigger on the OSSF-recommended events instead: pushes to the default branch,
+# a weekly schedule, and branch-protection-rule changes.
 on:
-  release:
-    types: [created]
+  push:
+    branches: [main]
+  schedule:
+    # Weekly, Mondays at 07:20 UTC.
+    - cron: '20 7 * * 1'
+  branch_protection_rule:
 
 # Top-level read-all permissions; jobs override what they need.
 permissions: read-all