From e5e9ae1b2ae0b6d1fcecb4c0211d1e39522d61cc Mon Sep 17 00:00:00 2001
From: John Bohannon <imjohnbo@github.com>
Date: Wed, 1 Nov 2023 21:18:57 -0400
Subject: [PATCH] Update scorecards.yml

---
 .github/workflows/scorecards.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index c808073..2911022 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -1,5 +1,6 @@
 name: Scorecards supply-chain security
 on:
+  workflow_dispatch:
   # Only the default branch is supported.
   branch_protection_rule:
   schedule:
@@ -19,6 +20,7 @@ jobs:
       security-events: write
       actions: read
       contents: read
+      id-token: write
 
     steps:
       - name: "Checkout code"
@@ -27,13 +29,10 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
-          # Read-only PAT token. To create it,
-          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
-          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           # Publish the results to enable scorecard badges. For more details, see
           # https://github.com/ossf/scorecard-action#publishing-results.
           # For private repositories, `publish_results` will automatically be set to `false`,