diff --git a/.github/workflows/pr-container-scan.yml b/.github/workflows/pr-container-scan.yml
index 67e737a..1d7b266 100644
--- a/.github/workflows/pr-container-scan.yml
+++ b/.github/workflows/pr-container-scan.yml
@@ -18,14 +18,15 @@ on:
       - '**/pom.xml'
       - '.github/workflows/pr-container-scan.yml'
 
-permissions:
-  contents: read
-  security-events: write   # for Trivy SARIF upload to Security tab
+permissions: read-all
 
 jobs:
   scan:
     runs-on: ubuntu-latest
     timeout-minutes: 20
+    permissions:
+      contents: read
+      security-events: write   # required for Trivy SARIF upload to Security tab
 
     steps:
       - name: Checkout
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3bf166b..4cbea7b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -147,7 +147,12 @@ jobs:
         env:
           VERSION: ${{ needs.build-and-push.outputs.version }}
         run: |
-          served=$(curl -s http://localhost:7979/actuator/info | python -c "import sys,json; print(json.load(sys.stdin).get('build',{}).get('version','?'))")
+          # Avoid `curl | python` (Scorecard's downloadThenRun heuristic flags
+          # any download piped directly into an interpreter, regardless of the
+          # source). Capture the body first, then parse — same behavior, no
+          # supply-chain footgun pattern.
+          info=$(curl -s http://localhost:7979/actuator/info)
+          served=$(echo "$info" | python -c "import sys,json; print(json.load(sys.stdin).get('build',{}).get('version','?'))")
           if [ "$served" != "$VERSION" ]; then
             echo "ERROR: image reports version=$served but tag is $VERSION"
             exit 1