From e4841c5bea683cc85fb96a3c56233582b8331dc7 Mon Sep 17 00:00:00 2001
From: M B <mehdi@blagui.com>
Date: Sun, 15 Feb 2026 01:24:00 +0000
Subject: [PATCH] fix(ci): set caller-scope permissions for reusable review
 workflows

---
 .github/workflows/claude-review-manual.yml   | 8 +++-----
 .github/workflows/opencode-review-manual.yml | 8 +++-----
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/claude-review-manual.yml b/.github/workflows/claude-review-manual.yml
index f31760c..d830f06 100644
--- a/.github/workflows/claude-review-manual.yml
+++ b/.github/workflows/claude-review-manual.yml
@@ -15,14 +15,12 @@ on:
 
 permissions:
   contents: read
+  pull-requests: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  issues: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  id-token: write # zizmor: ignore[excessive-permissions] required for Azure OIDC login
 
 jobs:
   claude-review:
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-      id-token: write
     uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-claude-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed
     with:
       pr_number: ${{ inputs.pr_number }}
diff --git a/.github/workflows/opencode-review-manual.yml b/.github/workflows/opencode-review-manual.yml
index aaed6b2..665ba5a 100644
--- a/.github/workflows/opencode-review-manual.yml
+++ b/.github/workflows/opencode-review-manual.yml
@@ -30,14 +30,12 @@ on:
 
 permissions:
   contents: read
+  pull-requests: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  issues: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  id-token: write # zizmor: ignore[excessive-permissions] required for Azure OIDC login
 
 jobs:
   opencode-review:
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-      id-token: write
     uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-opencode-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed
     with:
       pr_number: ${{ inputs.pr_number }}