steps:

1. cut a scorecard release and wait for a container image to be created and tagged with new release. Note the hash of the container as CH1. Note: we do not need a scorecard release, we can use any stable version we want.
2. update the hash pin in our dockerfile to use the container hash CH1 from step 1. Once the PR is merged, note the GitHub's commit hash as GH2.
   3. manually trigger the workflow to generate our container image. Note the hash of the container image generated as CH3. It can be found here using the manifest's "digest".~~ ~~4. update the container image hash we use in [action.yaml:L45](https://github.com/ossf/scorecard-action/blob/main/action.yaml#L45), using the hash CH3from step 3. Once the PR is merged, note the GitHub's commit hash asGH4`.
3. test the new hash in a test repo we own. If successful, continue.
4. cut release for the action - the hash of the tagged release should be GH2.
5. send a PR to starter-workflows/code-scanning/scorecards.yml to update the hash to GH2 from step 4.
6. merge a PR to update our documentation's example workflow to use GH2.
7. verify on the market place that the workflow example contains GH2. (the marketplace uses main branch)