From e86d2e4824a4ccceefe2531cbe0923eea39f927d Mon Sep 17 00:00:00 2001
From: Aviv Keller <me@aviv.sh>
Date: Thu, 25 Dec 2025 15:22:34 -0500
Subject: [PATCH] fix(ci): declare permissions at the top-level

---
 .github/workflows/scorecard.yml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index c324bfd..aa66b6a 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -16,20 +16,18 @@ on:
       - main
   workflow_call:
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions:
+  # Needed to upload the results to code-scanning dashboard.
+  security-events: write
+  # Needed to publish results and get a badge (see publish_results below).
+  id-token: write
+  contents: read
+  actions: read
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-      contents: read
-      actions: read
 
     steps:
       - name: Harden Runner