Fix PR workflow runs (#2123)

* Run scorecard workflow with models:read

Signed-off-by: Spencer Wilson <[email protected]>

* Remove all permissions for scorecard workflow

Signed-off-by: Spencer Wilson <[email protected]>

* Add security-events and id-token perms

Signed-off-by: Spencer Wilson <[email protected]>

* Clean up comments

Signed-off-by: Spencer Wilson <[email protected]>

* Update commit-to-main and weekly calls

Signed-off-by: Spencer Wilson <[email protected]>

---------

Signed-off-by: Spencer Wilson <[email protected]>

Author: SWilson4

.github/workflows/commit-to-main.yml

@@ -15,24 +15,9 @@ jobs:
   scorecard:
     uses: ./.github/workflows/scorecard.yml
     secrets: inherit
-    # complete list of permissions keys as per
-    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
-    # accessed September 4, 2024
     permissions:
-      actions: read
-      attestations: read
-      checks: read
-      contents: read
-      deployments: read
       id-token: write
-      issues: read
-      discussions: read
-      packages: read
-      pages: read
-      pull-requests: read
-      repository-projects: read
       security-events: write
-      statuses: read
 
   basic-downstream:
     uses: ./.github/workflows/downstream-basic.yml

.github/workflows/pr.yml

@@ -22,21 +22,6 @@ jobs:
     needs: basic-checks
     uses: ./.github/workflows/scorecard.yml
     secrets: inherit
-    # complete list of permissions keys as per
-    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
-    # accessed September 4, 2024
     permissions:
-      actions: read
-      attestations: read
-      checks: read
-      contents: read
-      deployments: read
       id-token: write
-      issues: read
-      discussions: read
-      packages: read
-      pages: read
-      pull-requests: read
-      repository-projects: read
       security-events: write
-      statuses: read

.github/workflows/scorecard.yml

@@ -1,6 +1,6 @@
 name: Scorecard supply-chain security
 
-permissions: read-all
+permissions: {}
 
 on:
   # For Branch-Protection check. Only the default branch is supported. See

.github/workflows/weekly.yml

@@ -14,24 +14,9 @@ jobs:
   scorecard:
     uses: ./.github/workflows/scorecard.yml
     secrets: inherit
-    # complete list of permissions keys as per
-    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
-    # accessed September 4, 2024
     permissions:
-      actions: read
-      attestations: read
-      checks: read
-      contents: read
-      deployments: read
       id-token: write
-      issues: read
-      discussions: read
-      packages: read
-      pages: read
-      pull-requests: read
-      repository-projects: read
       security-events: write
-      statuses: read
 
   extended-tests:
     uses: ./.github/workflows/extended.yml