fix: add id-token: write permission to scorecard reusable workflow (#1)

Fieldnote-Echo · claude · web-flow · commit 83f5a6860e88 · 2026-03-11T19:18:57.000-05:00
The Sigstore/Fulcio signing step requires a GitHub OIDC token to sign
scorecard results for publication. Reusable workflows have their own
permissions scope — the caller's id-token: write grant doesn't flow
through unless declared here.

Without this, the token expires immediately causing:
  error signing scorecard results: expired_token

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -14,6 +14,7 @@ jobs:
     permissions:
       contents: read
       security-events: write
+      id-token: write
     steps:
       - name: Harden runner
         uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b  # v2.15.0
