diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index c324bfd..aa66b6a 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -16,20 +16,18 @@ on:
       - main
   workflow_call:
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions:
+  # Needed to upload the results to code-scanning dashboard.
+  security-events: write
+  # Needed to publish results and get a badge (see publish_results below).
+  id-token: write
+  contents: read
+  actions: read
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-      contents: read
-      actions: read
 
     steps:
       - name: Harden Runner