diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
index db64bbe4..53bd4dd5 100644
--- a/.github/workflows/scorecard-enforcer.yml
+++ b/.github/workflows/scorecard-enforcer.yml
@@ -54,13 +54,16 @@ jobs:
         with:
           sarif_file: results.sarif
 
-  # Gate on the aggregate score. The score is NOT present in the SARIF output
-  # (the previous `jq '.runs[0].tool.driver.properties.score'` always returned
-  # null → 0 → this gate failed on every push regardless of the real posture).
-  # The aggregate score only exists in scorecard's JSON output, so run the
-  # action here with `results_format: json` (and `publish_results: false`, so
-  # this job needs no OIDC/id-token) and read `.score`.
-  check-score:
+  # Compute the aggregate score in its OWN uses-only job. The score is NOT in
+  # the SARIF output (`jq '.runs[0].tool.driver.properties.score'` always
+  # returned null → 0 → this gate failed on every push regardless of the real
+  # posture); it only exists in scorecard's JSON output. scorecard-action and a
+  # `run:` step must never share a job (OSSF publish contract — see #304, and
+  # hypatia `scorecard_publish_with_run_step`), so this job stays uses-only and
+  # hands the JSON to check-score via an artifact. `publish_results: false`
+  # means this run neither publishes nor needs OIDC (the `scorecard` job above
+  # owns publishing).
+  compute-score:
     timeout-minutes: 20
     needs: scorecard
     runs-on: ubuntu-latest
@@ -78,6 +81,25 @@ jobs:
           results_format: json
           publish_results: false
 
+      - name: Persist score JSON for the gate job
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: scorecard-score-json
+          path: results.json
+          retention-days: 1
+
+  check-score:
+    timeout-minutes: 10
+    needs: compute-score
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Download score JSON
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5.0.0
+        with:
+          name: scorecard-score-json
+
       - name: Check minimum score
         run: |
           SCORE=$(jq -r '.score // 0' results.json 2>/dev/null || echo "0")