Context
The scheduled OpenSSF Scorecard run reports:
Branch-Protection: internal error: error during branchesHandler.setup:
some github tokens can't read classic branch protection rules:
https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
That `-1` score drags the overall Scorecard average down even though branch protection IS configured on main (required-review, dismiss-stale, enforce_admins=false).
Fix
Per OSSF's docs, the default `GITHUB_TOKEN` can't read classic branch protection rules. The remediation is to either:
- Provision a fine-grained PAT with `Administration: read` for this repo, store it as repo secret `SCORECARD_TOKEN`, and wire it into `scorecard.yml` (`repo_token: ${{ secrets.SCORECARD_TOKEN }}`).
- Migrate from classic to ruleset-based branch protection — Scorecard can read rulesets via the default `GITHUB_TOKEN`. This is a one-time admin UI change in repo Settings → Rules. Cleaner long-term but changes who-bypasses-what semantics.
Either approach should lift Branch-Protection from `-1` to ~`8`+.
Acceptance criteria
Context
The scheduled OpenSSF Scorecard run reports:
That `-1` score drags the overall Scorecard average down even though branch protection IS configured on main (required-review, dismiss-stale, enforce_admins=false).
Fix
Per OSSF's docs, the default `GITHUB_TOKEN` can't read classic branch protection rules. The remediation is to either:
Either approach should lift Branch-Protection from `-1` to ~`8`+.
Acceptance criteria