diff --git a/.github/workflows/check-manifest-generation-diff.yaml b/.github/workflows/check-manifest-generation-diff.yaml
index 74727b44..4f563ea7 100644
--- a/.github/workflows/check-manifest-generation-diff.yaml
+++ b/.github/workflows/check-manifest-generation-diff.yaml
@@ -3,6 +3,10 @@ name: Check for diff after manifest and generated targets
 on:
   pull_request: {}
 
+permissions:
+  contents: read
+  pull-requests: write
+    
 jobs:
   diff-check-manifests:
     name: Check for diff
diff --git a/api/v1alpha1/constants.go b/api/v1alpha1/constants.go
index 3b8197f3..601511d4 100644
--- a/api/v1alpha1/constants.go
+++ b/api/v1alpha1/constants.go
@@ -2,7 +2,7 @@ package v1alpha1
 
 const (
 	// DefaultRegistryCertificateSecretName is the name of the of certificate secret for client and registry.
-	DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" // nolint:gosec // not a credential
+	DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" // #nosec G101 // not a credential
 )
 
 // Internal ExtraIdentity keys.
@@ -35,5 +35,5 @@ const (
 // Ocm credential config key for secrets.
 const (
 	// OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config.
-	OCMCredentialConfigKey = ".ocmcredentialconfig" // nolint:gosec // it isn't a cred
+	OCMCredentialConfigKey = ".ocmcredentialconfig" // #nosec G101 // not a credential
 )
diff --git a/pkg/oci/repository.go b/pkg/oci/repository.go
index e88b35d2..5c03e4b8 100644
--- a/pkg/oci/repository.go
+++ b/pkg/oci/repository.go
@@ -143,8 +143,7 @@ func (c *Client) setupCertificates(ctx context.Context) error {
 }
 
 func (c *Client) constructTLSRoundTripper() http.RoundTripper {
-	// nolint:gosec // must provide lower version for quay.io
-	tlsConfig := &tls.Config{}
+	tlsConfig := &tls.Config{} // #nosec G402 // must provide lower version for quay.io
 	caCertPool := x509.NewCertPool()
 	caCertPool.AppendCertsFromPEM(c.ca)