From a790b57c33eefe995fb59674bbe18cb027cfacc3 Mon Sep 17 00:00:00 2001
From: github-actions <action@github.com>
Date: Mon, 2 Feb 2026 11:35:43 +0000
Subject: [PATCH] Align files

---
 .github/workflows/zz_generated.create_release.yaml     | 8 +++++---
 .github/workflows/zz_generated.run_ossf_scorecard.yaml | 6 +++++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/zz_generated.create_release.yaml b/.github/workflows/zz_generated.create_release.yaml
index cfb36198..0bf5753f 100644
--- a/.github/workflows/zz_generated.create_release.yaml
+++ b/.github/workflows/zz_generated.create_release.yaml
@@ -2,7 +2,7 @@
 #
 #    devctl
 #
-#    https://github.com/giantswarm/devctl/blob/1acd23e6a78c21ca61ccbe8a7e5a8a3139feeab5/pkg/gen/input/workflows/internal/file/create_release.yaml.template
+#    https://github.com/giantswarm/devctl/blob/72df19d0bff1cc8a679b00fdb4ac4e2504f8962a/pkg/gen/input/workflows/internal/file/create_release.yaml.template
 #
 name: Create Release
 on:
@@ -111,6 +111,8 @@ jobs:
           smoke_test: "${binary} --version"
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Update project.go
         id: update_project_go
         env:
@@ -175,6 +177,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.sha }}
+          persist-credentials: false
       - name: Ensure correct version in project.go
         if: ${{ needs.gather_facts.outputs.project_go_path != '' && needs.gather_facts.outputs.ref_version != 'true' }}
         run: |
@@ -203,11 +206,10 @@ jobs:
       - name: Create release
         id: create_gh_release
         uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b  # v1.20.0
-        env:
-          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
         with:
           body: ${{ steps.changelog_reader.outputs.changes }}
           tag: "v${{ needs.gather_facts.outputs.version }}"
+          token: ${{ secrets.TAYLORBOT_GITHUB_ACTION }}
           skipIfReleaseExists: true
 
   create-release-branch:
diff --git a/.github/workflows/zz_generated.run_ossf_scorecard.yaml b/.github/workflows/zz_generated.run_ossf_scorecard.yaml
index e089872e..317cc41f 100644
--- a/.github/workflows/zz_generated.run_ossf_scorecard.yaml
+++ b/.github/workflows/zz_generated.run_ossf_scorecard.yaml
@@ -2,7 +2,7 @@
 #
 #    devctl
 #
-#    https://github.com/giantswarm/devctl/blob/87f30fd3b955a0daf6017834a776c222d93a207c/pkg/gen/input/workflows/internal/file/run_ossf_scorecard.yaml.template
+#    https://github.com/giantswarm/devctl/blob/4897b6ea0f98cfba54f8d3003f5bdcefb968a7b5/pkg/gen/input/workflows/internal/file/run_ossf_scorecard.yaml.template
 #
 
 # This workflow uses actions that are not certified by GitHub. They are provided
@@ -31,6 +31,10 @@ jobs:
     uses: giantswarm/github-workflows/.github/workflows/ossf-scorecard.yaml@main
     permissions:
       contents: read
+      actions: read
+      issues: read
+      pull-requests: read
+      checks: read
       security-events: write
       id-token: write
     secrets: