fix(scorecard): don't declare any permissions at top-level (#85)

avivkeller · web-flow · commit b62c434f5e53 · 2026-01-07T00:52:23.000Z
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -16,19 +16,21 @@ on:
       - main
   workflow_call:
 
-permissions:
-  # Needed to upload the results to code-scanning dashboard.
-  security-events: write
-  # Needed to publish results and get a badge (see publish_results below).
-  id-token: write
-  contents: read
-  actions: read
+permissions: {}
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
 
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
