diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
index 7932672cf..967cfe3d7 100644
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis.yml
@@ -33,7 +33,8 @@ jobs:
     permissions:
       security-events: write    # Needed to upload the results to the code-scanning dashboard.
       actions: read
-      contents: read
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
 
     steps: