fix(ci): set caller-scope permissions for reusable review workflows (#30)

Mehdi-Bl · web-flow · commit 19d34abbae29 · 2026-02-14T19:27:37.000-06:00
diff --git a/.github/workflows/claude-review-manual.yml b/.github/workflows/claude-review-manual.yml
@@ -15,14 +15,12 @@ on:
 
 permissions:
   contents: read
+  pull-requests: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  issues: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  id-token: write # zizmor: ignore[excessive-permissions] required for Azure OIDC login
 
 jobs:
   claude-review:
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-      id-token: write
     uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-claude-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed
     with:
       pr_number: ${{ inputs.pr_number }}
diff --git a/.github/workflows/opencode-review-manual.yml b/.github/workflows/opencode-review-manual.yml
@@ -30,14 +30,12 @@ on:
 
 permissions:
   contents: read
+  pull-requests: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  issues: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  id-token: write # zizmor: ignore[excessive-permissions] required for Azure OIDC login
 
 jobs:
   opencode-review:
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-      id-token: write
     uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-opencode-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed
     with:
       pr_number: ${{ inputs.pr_number }}
