From 51907d9f72e1582a1ff638015533da3db3d9f23d Mon Sep 17 00:00:00 2001
From: Guillaume Lours <705411+glours@users.noreply.github.com>
Date: Fri, 11 Apr 2025 15:35:55 +0200
Subject: [PATCH] fix zizmor security alerts on GHA workflows

Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>
---
 .github/workflows/ci.yml         |  4 +++-
 .github/workflows/scorecards.yml | 15 ++++++++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8d7eb00de..7956a4eeb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -77,8 +77,10 @@ jobs:
       -
         name: Prepare
         run: |
-          platform=${{ matrix.platform }}
+          platform=${MATRIX_PLATFORM}
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+        env:
+          MATRIX_PLATFORM: ${{ matrix.platform }}
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v3
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 20029b44c..b8f0e5e25 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -7,9 +7,6 @@ on:
   push:
     branches: [ "main" ]
 
-# Declare default permissions as read only.
-permissions: read-all
-
 jobs:
   analysis:
     name: Scorecards analysis
@@ -19,6 +16,18 @@ jobs:
       security-events: write
       # Used to receive a badge.
       id-token: write
+      # read permissions to all the other objects
+      actions: read
+      attestations: read
+      checks: read
+      contents: read
+      deployments: read
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      statuses: read
     
     steps:
       - name: "Checkout code"