haskell-actions/hlint-scan is not considered a code scanning action

[chungyc]

Describe the bug

haskell-actions/hlint-scan is a GitHub action explicitly for uploading SARIF files to GitHub code scanning. However, Scorecard does not consider it as such and reports a "Token-Permissions" issue:

score is 8: jobLevel 'security-events' permission set to 'write'
Remediation tip: Verify which permissions are needed and consider whether you can reduce them.

However, Scorecard is not supposed to report the use of the security-events write permission if the action is recognized as a code scanning action:

However, points are not reduced if the job utilizes a recognized action for uploading SARIF results.

Reproduction steps

Steps to reproduce the behavior:

1. Set up a GitHub project.
2. Add Haskell code with some poor choices. E.g., main = concat . map id ([1,2,3]).
3. Set up haskell-actions/hlint-scan in a workflow for the project.
4. Manually run the workflow.

Expected behavior

Scorecard recognizes haskell-actions/hlint-scan as an action uploading SARIF results. The use of the security-events write permission should not be reported as an issue.

Additional context

haskell-actions/hlint-scan uses HLint, which scans for issues in Haskell code and suggests improvements.

[naveensrinivasan]

@chungyc Would you be interested in sending a PR for this?

[chungyc]

Yes, I intend to, once I've resolved #2830.

[chungyc]

It turns out that this does not need #2830 to be resolved first, so I opened the pull request #2846.