From 15f98c75ed4d52468208a4fb3949a56e9d6f912f Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 30 May 2026 16:57:54 +0100
Subject: [PATCH] ci(scorecard): add job-level permissions for reusable
 workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `scorecard-reusable.yml` reusable requires the calling `analysis` job
to declare `security-events: write` and `id-token: write` — called-workflow
permissions are CAPPED by the caller's block (the reusable docstring
states this explicitly).

Without this, every Scorecard run silently fails with `startup_failure`
because ossf/scorecard-action cannot upload SARIF.

Estate-wide sweep tracked at hyperpolymath/standards#282; same pattern as
julia-professional-registry#19 (2026-05-27) and absolute-zero#68
(2026-05-30).

Refs hyperpolymath/standards#282

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/scorecard.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 969ad71..4d46bb7 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -12,5 +12,8 @@ permissions: read-all
 
 jobs:
   analysis:
+    permissions:
+      security-events: write
+      id-token: write
     uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@e0caf11508a3989574713c78f5f444f2ce5e33ef
     secrets: inherit