From c3b564ee4cd13f0e3116aa9f4f631aeb5395c2f6 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sun, 31 May 2026 11:07:46 +0100
Subject: [PATCH] ci(scorecard): add job-level permissions for reusable
 workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reusable-workflow permission inheritance caps called-workflow
permissions by the caller's block. Without job-level overrides,
ossf/scorecard-action cannot upload SARIF — runs silently
startup_failure.

Refs hyperpolymath/standards#282

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/scorecard.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 24d0001..0ff0c86 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -12,5 +12,8 @@ permissions: read-all
 
 jobs:
   analysis:
+    permissions:
+      security-events: write
+      id-token: write
     uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@e0caf11508a3989574713c78f5f444f2ce5e33ef
     secrets: inherit