Update pr-review.yml

derekmisler · web-flow · commit 8b1b707b61f0 · 2026-04-16T16:06:09.000-04:00
Signed-off-by: Derek Misler &lt;derek.misler@docker.com&gt;
diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml
@@ -5,18 +5,22 @@ on:
     types: [created]
   pull_request_review_comment:
     types: [created]
-  pull_request_target:
+  pull_request:
     types: [ready_for_review, opened]
 
 permissions:
   contents: read
-  pull-requests: write
-  issues: write
 
 jobs:
   review:
     uses: docker/cagent-action/.github/workflows/review-pr.yml@d98096f432f2aea5091c811852c4da804e60623a # v1.4.1
-    secrets: inherit
+    # Scoped to the job so other jobs in this workflow aren't over-permissioned
+    permissions:
+      contents: read # Read repository files and PR diffs
+      pull-requests: write # Post review comments and approve/request changes
+      issues: write # Create security incident issues if secrets are detected in output
+      checks: write # (Optional) Show review progress as a check run on the PR
+      id-token: write # Required for OIDC authentication to AWS Secrets Manager
     with:
       add-prompt-files: STYLE.md,COMPONENTS.md
       additional-prompt: |
