From f0f09d54a9308a21edf3c218c3e43440cac2adaf Mon Sep 17 00:00:00 2001
From: Nick Osborn <nosborn@users.noreply.github.com>
Date: Thu, 12 Jun 2025 13:57:12 +0800
Subject: [PATCH] Fix scorecard workflow permissions

---
 .github/workflows/scorecard.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index e20240d..9ac272c 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,4 +1,7 @@
 # yamllint disable rule:line-length
+#
+# There are restrictions on this workflow:
+# https://github.com/ossf/scorecard-action#workflow-restrictions
 ---
 name: OpenSSF Scorecard
 
@@ -10,11 +13,8 @@ on:
       - master
   branch_protection_rule: {}
 
-permissions:
-  actions: read
+permissions: # no workflow-level write permissions allowed
   contents: read
-  id-token: write
-  security-events: write
 
 concurrency:
   group: scorecard
@@ -22,6 +22,11 @@ concurrency:
 
 jobs:
   analysis:
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      security-events: write
     if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps: