Attempt to restrict permissions

mhucka · mhucka · commit 3fddea213264 · 2025-08-25T14:13:26.000-07:00
diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml
@@ -63,7 +63,10 @@ jobs:
     if: github.repository_owner == 'quantumlib'
     name: Run Scorecard analyzer
     runs-on: ubuntu-24.04
-    permissions: write-all
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     timeout-minutes: 15
     steps:
       - name: Check out a copy of the git repository
diff --git a/.github/workflows/weekly.yaml b/.github/workflows/weekly.yaml
@@ -49,7 +49,10 @@ jobs:
     if: github.repository_owner == 'quantumlib'
     name: Run periodic open-source vulnerabilities scanner
     uses: ./.github/workflows/osv-scanner.yaml
-    permissions: write-all
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     with:
       reason: '(weekly)'
       debug: github.event.inputs.debug
@@ -58,7 +61,10 @@ jobs:
     if: github.repository_owner == 'quantumlib'
     name: Run periodic Scorecard analysis
     uses: ./.github/workflows/scorecard-scanner.yaml
-    permissions: write-all
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     secrets: inherit
     with:
       reason: '(weekly)'
