From db2b8c209cf39ccae3fc2d70eabb10e696301abf Mon Sep 17 00:00:00 2001 From: Sandra Greenhalgh Date: Fri, 3 Jul 2026 19:23:20 +0800 Subject: [PATCH] chore: fix workflow --- .github/workflows/_scan-ossf-scorecard.yml | 12 ++++++++++-- .github/workflows/example-release.yml | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/_scan-ossf-scorecard.yml b/.github/workflows/_scan-ossf-scorecard.yml index 3ebc9e4..56423e0 100644 --- a/.github/workflows/_scan-ossf-scorecard.yml +++ b/.github/workflows/_scan-ossf-scorecard.yml @@ -17,8 +17,16 @@ on: type: string default: ubuntu-latest -# Declare default permissions as read only. -permissions: read-all +# Declare default permissions to match exactly what the `analysis` job below +# requires. Reusable-workflow callers must grant at least this set on the +# calling job, or GitHub Actions rejects the call - `read-all` was too broad +# here since it expands to every permission scope (packages, issues, pages, +# etc.), none of which this workflow actually uses. +permissions: + security-events: write + id-token: write + contents: read + actions: read jobs: analysis: diff --git a/.github/workflows/example-release.yml b/.github/workflows/example-release.yml index 4ef7379..2fbee26 100644 --- a/.github/workflows/example-release.yml +++ b/.github/workflows/example-release.yml @@ -1,4 +1,4 @@ -name: example-pr +name: example-release on: push: