Merge pull request #29 from kpumuk/fix/scorecard-token-permissions

kpumuk · web-flow · commit abbabfc06eb0 · 2026-03-19T11:32:59.000-04:00
Restrict release workflow token permissions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,15 +6,17 @@ on:
       - "v*"
 
 permissions:
-  contents: write
-  attestations: write
-  id-token: write
+  contents: read
 
 jobs:
   goreleaser:
     name: release
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      contents: write
+      attestations: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
