chore: scope permissions down for one GHA (#2849)

dougch · web-flow · commit df20953ef1d5 · 2025-10-13T11:22:07.000-07:00
diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
@@ -23,9 +23,14 @@ on:
     # run every morning at 10am Pacific Time
     - cron: "0 17 * * *"
 
+permissions:
+  contents: read  # This is required for actions/checkout
+
 jobs:
   audit:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for GITHUB_TOKEN usage
     steps:
       - uses: actions/checkout@v5
         with:
