diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b80da1c..e840456 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,7 +34,7 @@ jobs:
           #   mix release
 
       # TODO: Upload build artifacts if needed
-      # - uses: actions/upload-artifact@v4
+      # - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       #   with:
       #     name: release-artifacts
       #     path: target/release/
@@ -94,7 +94,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # TODO: Download build artifacts if uploading to the release
-      # - uses: actions/download-artifact@v4
+      # - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       #   with:
       #     name: release-artifacts
       #     path: artifacts/
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 29853b2..47a020c 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -20,6 +20,9 @@ permissions:
 
 jobs:
   analysis:
+    permissions:
+      security-events: write
+      id-token: write
     runs-on: ubuntu-latest
     permissions:
       security-events: write