Fix scorecard workflow permissions

Author: nosborn

.github/workflows/scorecard.yml

@@ -1,4 +1,7 @@
 # yamllint disable rule:line-length
+#
+# There are restrictions on this workflow:
+# https://github.com/ossf/scorecard-action#workflow-restrictions
 ---
 name: OpenSSF Scorecard
 
@@ -10,18 +13,20 @@ on:
       - master
   branch_protection_rule: {}
 
-permissions:
-  actions: read
+permissions: # no workflow-level write permissions allowed
   contents: read
-  id-token: write
-  security-events: write
 
 concurrency:
   group: scorecard
   cancel-in-progress: true
 
 jobs:
   analysis:
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      security-events: write
     if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps: