fix(ci): scorecard workflow failure fix

[malav2110]

Description

This PR fixes scorecard workflow failure due to limited read permissions.

Related Issues

#8455

Check List

• I have read the Contributing Guidelines and made commit messages that follow the guideline.
• I have run pnpm format to ensure the code follows the style guide.
• I have run pnpm test to check if all tests are passing.
• I have run pnpm build to check if the website builds without errors.
• I've covered new added functionality with unit tests if necessary.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
nodejs-org	Ready	Preview	Dec 25, 2025 6:50pm

[github-actions]

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/web-infra

Please review the changes when you have a chance. Thank you! 🙏

[MattIPv4]

Do you have docs or a reference for this action needing all these permissions? This seems like a lot of access to be giving?

[Copilot]

Pull request overview

This PR addresses a scorecard workflow failure caused by insufficient read permissions. It adds explicit read permissions for multiple GitHub Actions scopes to the scorecard analysis job.

Key Changes:

• Adds 12 additional read permissions to the scorecard workflow job to resolve permission-related failures

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[avivkeller]

I'm -1 on giving all these permissions explicitly, I'd rather figure out why it's requesting them and fix the issue wherever there may be

[malav2110]

The reason for adding these permissions is that when the workflow tried to run without them, it failed with this error

The workflow is not valid. .github/workflows/scorecard.yml (Line: 18, Col: 3): Error calling workflow 'nodejs/web-team/.github/workflows/scorecard.yml@2c2897a93eb99b4cdca270729100bc0887c758d9'. The workflow is requesting 'artifact-metadata: read, attestations: read, checks: read, deployments: read, discussions: read, issues: read, models: read, packages: read, pages: read, pull-requests: read, repository-projects: read, statuses: read', but is only allowed 'artifact-metadata: none, attestations: none, checks: none, deploy[...]

GitHub enforces that we must grant at minimum what a reusable workflow requests, even though the official Scorecard documentation only needs 4 permissions: security-events: write, id-token: write, contents: read, actions: read.

So, either we grant all permissions the reusable workflow requests, or we implement the scorecard action directly in our workflow.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[avivkeller]

Let's figure out why the re usable workflow is requesting all these permissions, I assume it's requesting read all when it really doesn't have to

[malav2110]

Root Cause Found:
I investigated why we needed all these additional permissions. The issue is in the reusable workflow from web-team, which has permissions: read-all at the top level. This forces any calling workflow to grant all read permissions, even though the scorecard action itself only needs 4.

I opened upstream issue: nodejs/web-team#82 to fix the root cause.

[ovflowd]

Root Cause Found: I investigated why we needed all these additional permissions. The issue is in the reusable workflow from web-team, which has permissions: read-all at the top level. This forces any calling workflow to grant all read permissions, even though the scorecard action itself only needs 4.

I opened upstream issue: nodejs/web-team#82 to fix the root cause.

Thanks for investigating it, @malav2110!

[ovflowd]

@avivkeller can you double check we won't need this PR of any shape or form?