fix(ci): resolve failing audit and scorecard workflows

[cursor]

Fixes CI regressions by using the existing deny.toml config in the security audit job and disabling Scorecard result publication that currently fails workflow verification on upload-sarif.

  

[dosubot]

Related Documentation

1 document(s) may need updating based on files changed in this PR:

DaemonEye

CI and Automation Hooks

View Suggested Changes

@@ -15,17 +15,17 @@
 
 - Checks out the repository code.
 - Runs Scorecard analysis and generates SARIF results.
-- Publishes results to the OpenSSF REST API for badge integration (on public repositories).
+- Result publication to the OpenSSF REST API is currently disabled due to OSSF workflow verification issues with `github/codeql-action/upload-sarif` being rejected as an "imposter commit" (`publish_results: false`).
 - Uploads results as artifacts and to GitHub's code scanning dashboard.
 - Supports optional configuration for private repositories and branch protection checks.
 
-This workflow helps maintainers monitor supply-chain security posture and enables consumers to access Scorecard results and badges. For details on configuration and authentication, see the [Scorecard Action documentation](https://github.com/ossf/scorecard-action).
+This workflow helps maintainers monitor supply-chain security posture. Note that while the workflow performs security checks, public result publication is currently disabled, limiting external badge integration. For details on configuration and authentication, see the [Scorecard Action documentation](https://github.com/ossf/scorecard-action).
 
 **Workflow Triggers and Automation Hooks**
 
 Workflows are triggered on push and pull request events to the `main` branch. Additionally, all major workflows support explicit user action triggers via the `workflow_dispatch` event, allowing maintainers to manually start CI or documentation jobs as needed ([ci.yml](https://github.com/EvilBit-Labs/DaemonEye/blob/a169b6886897bf281c27ce9d86d4738233658cd4/.github/workflows/ci.yml), [docs.yml](https://github.com/EvilBit-Labs/DaemonEye/blob/a169b6886897bf281c27ce9d86d4738233658cd4/.github/workflows/docs.yml), [codeql.yml](https://github.com/EvilBit-Labs/DaemonEye/blob/a169b6886897bf281c27ce9d86d4738233658cd4/.github/workflows/codeql.yml)). Documentation updates are deployed automatically on push, pull request, or manual dispatch.
 
-The Scorecard workflow is triggered by pushes to `main`, scheduled weekly (every Tuesday at 11:28 UTC), and branch protection rule events. It ensures supply-chain security checks are regularly updated and visible.
+The Scorecard workflow is triggered by pushes to `main`, scheduled weekly (every Tuesday at 11:28 UTC), and branch protection rule events. It ensures supply-chain security checks are regularly updated, though public result publication is currently disabled.
 
 **Conditional Execution and Job Structure**
 
@@ -37,7 +37,7 @@
 
 Coverage reporting is integrated using `cargo-llvm-cov`, which generates coverage reports and uploads them to Codecov and Qlty using their respective GitHub Actions ([ci.yml](https://github.com/EvilBit-Labs/DaemonEye/blob/a169b6886897bf281c27ce9d86d4738233658cd4/.github/workflows/ci.yml)). Some workflows also use `cargo-tarpaulin` to generate HTML coverage reports ([testing.md](https://github.com/EvilBit-Labs/DaemonEye/blob/a169b6886897bf281c27ce9d86d4738233658cd4/docs/src/testing.md)). Quality gates include passing all tests, maintaining >85% code coverage, successful linting and formatting, security audits, and performance benchmarks ([issue #61](https://github.com/EvilBit-Labs/DaemonEye/issues/61#issuecomment-3290058916)).
 
-The Scorecard workflow adds supply-chain security checks, including branch protection, maintained status, and other Scorecard metrics. Results are published for visibility and badge integration.
+The Scorecard workflow adds supply-chain security checks, including branch protection, maintained status, and other Scorecard metrics. Results are uploaded to the code scanning dashboard but public publication is currently disabled.
 
 **Documentation Automation**
 

❌ Declined

Note: You must be authenticated to accept/decline updates.

^{How did I do? Any feedback?}  

[Copilot]

Pull request overview

Resolves CI regressions in the repository’s security-related GitHub Actions workflows by updating the cargo-deny configuration path and adjusting Scorecard publication settings.

Changes:

• Update the Security workflow to run cargo deny using the repository’s existing deny.toml.
• Disable Scorecard result publication to avoid current workflow verification failures during the run.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/security.yml	Points cargo deny check at the repo’s deny.toml to fix a broken config reference.
.github/workflows/scorecard.yml	Disables publish_results to avoid current Scorecard publication/verification failures.

[Copilot]

With publish_results: false, the job likely no longer needs id-token: write permission (the file comment above says it’s needed to publish results/badge). Consider dropping id-token: write to keep least-privilege permissions aligned with the new configuration.