From 69f3a2dce05ffbe59b20899a81c8106ea4dbd0fc Mon Sep 17 00:00:00 2001 From: M B Date: Sun, 15 Feb 2026 01:09:05 +0000 Subject: [PATCH 1/2] fix(ci): grant required permissions to review wrappers --- .github/workflows/claude-review-manual.yml | 6 +++++- .github/workflows/opencode-review-manual.yml | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/claude-review-manual.yml b/.github/workflows/claude-review-manual.yml index 11bfc09..60d8331 100644 --- a/.github/workflows/claude-review-manual.yml +++ b/.github/workflows/claude-review-manual.yml @@ -13,7 +13,11 @@ on: default: false type: boolean -permissions: {} +permissions: + contents: read + pull-requests: write + issues: write + id-token: write jobs: claude-review: diff --git a/.github/workflows/opencode-review-manual.yml b/.github/workflows/opencode-review-manual.yml index aad74ff..46a8297 100644 --- a/.github/workflows/opencode-review-manual.yml +++ b/.github/workflows/opencode-review-manual.yml @@ -28,7 +28,11 @@ on: default: false type: boolean -permissions: {} +permissions: + contents: read + pull-requests: write + issues: write + id-token: write jobs: opencode-review: From ec622e0327585a20d8961ec7bbb236a7fb2bf2e1 Mon Sep 17 00:00:00 2001 From: M B Date: Sun, 15 Feb 2026 01:10:40 +0000 Subject: [PATCH 2/2] fix(ci): scope review permissions to job level --- .github/workflows/claude-review-manual.yml | 8 +++++--- .github/workflows/opencode-review-manual.yml | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/claude-review-manual.yml b/.github/workflows/claude-review-manual.yml index 60d8331..f31760c 100644 --- a/.github/workflows/claude-review-manual.yml +++ b/.github/workflows/claude-review-manual.yml @@ -15,12 +15,14 @@ on: permissions: contents: read - pull-requests: write - issues: write - id-token: write jobs: claude-review: + permissions: + contents: read + pull-requests: write + issues: write + id-token: write uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-claude-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed with: pr_number: ${{ inputs.pr_number }} diff --git a/.github/workflows/opencode-review-manual.yml b/.github/workflows/opencode-review-manual.yml index 46a8297..aaed6b2 100644 --- a/.github/workflows/opencode-review-manual.yml +++ b/.github/workflows/opencode-review-manual.yml @@ -30,12 +30,14 @@ on: permissions: contents: read - pull-requests: write - issues: write - id-token: write jobs: opencode-review: + permissions: + contents: read + pull-requests: write + issues: write + id-token: write uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-opencode-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed with: pr_number: ${{ inputs.pr_number }}