From 57a29e04ec2b3c7579d3d397ab49d8ea8eb845bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= <jason@xgamedev.net>
Date: Mon, 26 Jan 2026 20:47:01 +1100
Subject: [PATCH] docs: update scorecard annotation for last_push_approval
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reflect that last_push_approval is now enabled (bot approval counts as
different user from human pusher).

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
---
 .scorecard.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.scorecard.yml b/.scorecard.yml
index a426605b..188987f3 100644
--- a/.scorecard.yml
+++ b/.scorecard.yml
@@ -51,9 +51,10 @@ annotations:
   # Branch protection: Using GitHub Rulesets with auto-approve bot
   # - Rulesets require 1 approver (provided by auto-approve bot)
   # - Code owner review is required
-  # - last_push_approval disabled to allow auto-approve bot to work
-  # - bypass_actors: [] prevents admin bypass
+  # - last_push_approval enabled (bot approval counts as different user from pusher)
+  # - bypass_actors: [] prevents admin bypass (equivalent to "apply to administrators")
+  # Scorecard may not fully recognize ruleset settings vs classic branch protection
   - checks:
       - branch-protection
     reasons:
-      - reason: not-applicable # Using Rulesets with auto-approve bot requiring last_push_approval disabled
+      - reason: not-applicable # Using Rulesets; Scorecard may not recognize all settings