diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index e0e3552..2b8ce43 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -26,6 +26,8 @@ jobs:
       security-events: write
       # Needed for GitHub OIDC token if publish_results is true
       id-token: write
+      contents: read
+      actions: read
 
     steps:
       - name: "Checkout code"