From 64b438ebe39aacb4935e52c0f9adc094c91e9a32 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 10 Jul 2026 01:41:17 +0000 Subject: [PATCH] fix(ci): let Scorecard publish by making top-level workflow permissions read-only The Scorecard supply-chain security run on master fails because ossf/scorecard-action refuses to publish results when the workflow grants security-events: write at the top level. Move to top-level 'permissions: read-all'; the analysis job keeps its own id-token/security-events write grants, so SARIF upload is unaffected. Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_01Hw6V6hgwiNNe74eSCFymtP --- .github/workflows/scorecard.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ed6203f..1a95f2a 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -7,10 +7,10 @@ on: schedule: - cron: "27 3 * * 1" -permissions: - actions: read - contents: read - security-events: write +# scorecard-action refuses to publish results when the workflow grants +# write permissions at the top level; the analysis job below declares the +# id-token/security-events writes it needs. +permissions: read-all jobs: analysis: