diff --git a/.github/workflows/nuget-online-convergence.yml b/.github/workflows/nuget-online-convergence.yml
index 1af3a78..2609226 100644
--- a/.github/workflows/nuget-online-convergence.yml
+++ b/.github/workflows/nuget-online-convergence.yml
@@ -26,7 +26,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.workflow_run.head_sha }}
+          # Security hardening: do not checkout workflow_run head_sha in a privileged workflow.
+          # Always use the trusted default branch content for verifier scripts.
+          ref: ${{ github.event.repository.default_branch }}
+          persist-credentials: false
 
       - name: Resolve release metadata
         id: meta
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index fc7893e..66366a3 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -10,7 +10,6 @@ on:
 
 permissions:
   security-events: write
-  id-token: write
   contents: read
   actions: read
 
@@ -29,7 +28,9 @@ jobs:
         with:
           results_file: artifacts/ci/scorecard/results.sarif
           results_format: sarif
-          publish_results: true
+          # Keep deterministic local evidence + SARIF upload, avoid remote publish rejection
+          # when workflow permissions include security-events write for SARIF upload.
+          publish_results: false
 
       - name: Upload SARIF to code scanning
         uses: github/codeql-action/upload-sarif@v3