From 70988d6a2ed9636ae3c4a71b481472626d01e726 Mon Sep 17 00:00:00 2001
From: Martin Hutchinson <mhutchinson@gmail.com>
Date: Wed, 7 Aug 2024 10:43:10 +0100
Subject: [PATCH] Update token used for scorecard

This was previously using a github secret that was per-repo. I've switched it over to an org-level secret, which should allow us to avoid copying and pasting the secret around a number of times. Added a note that we should switch over to branch protection rulesets instead, which should mean that this read permission isn't needed at all.

Motivation is that the original token is expiring within the week.
---
 .github/workflows/scorecard.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index bf82634..06bc3f1 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -45,7 +45,9 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecards on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          # TODO(mhutchinson): Instead of this, we should use rulesets and then permissions are not needed:
+          # https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets
+          repo_token: ${{ secrets.TD_SCORECARD_READ_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers