From 4ec963d41c402e38620d2f46195189ed05a56238 Mon Sep 17 00:00:00 2001
From: devitway <devitway@gmail.com>
Date: Thu, 19 Mar 2026 10:35:57 +0000
Subject: [PATCH] fix: add repo_token and permissions to scorecard workflow

---
 .github/workflows/scorecard.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index a9478c7..81bc156 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches: [main]
   schedule:
-    - cron: '0 6 * * 1'  # every Monday at 06:00 UTC
+    - cron: '0 6 * * 1'
 
 permissions: read-all
 
@@ -15,20 +15,21 @@ jobs:
     permissions:
       security-events: write
       id-token: write
+      contents: read
+      actions: read
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
-      # Note: scorecard-action is a Docker-based action that resolves by tag only,
-      # SHA pinning causes resolution failures. Using tag per ossf recommendation.
       - name: Run OpenSSF Scorecard
         uses: ossf/scorecard-action@v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
+          repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Upload Scorecard results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4