Fix permissions for scorecard action so it doesnt report itself

Signed-off-by: Nigel Jones <[email protected]>
planetf1 · Apr 19, 2024 · d529c69 · d529c69
1 parent c0aa784
commit d529c69
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -1,11 +1,7 @@
 name: Scorecard supply-chain security
 
-permissions:
-  contents: read
-  # needed to allow a badge to be created
-  # ie [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo})
-  id-token: write
-  security-events: write
+permissions: read-all
+
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection