From 198792a9df601a298e0694c5d913484dc2fd07c4 Mon Sep 17 00:00:00 2001
From: Brian Bouterse <bmbouter@gmail.com>
Date: Mon, 20 Apr 2026 11:23:39 -0400
Subject: [PATCH] Add pulp-service-reviewer security profile for PR Reviewer
 agent

Separate read-only + comment profile for the reviewer agent, distinct
from the contributor profile which has push_branch permissions.
---
 .../security-profiles/pulp-service-reviewer.yml  | 16 ++++++++++++++++
 .alcove/tasks/reviewer.yml                       |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 .alcove/security-profiles/pulp-service-reviewer.yml

diff --git a/.alcove/security-profiles/pulp-service-reviewer.yml b/.alcove/security-profiles/pulp-service-reviewer.yml
new file mode 100644
index 00000000..4d1a123e
--- /dev/null
+++ b/.alcove/security-profiles/pulp-service-reviewer.yml
@@ -0,0 +1,16 @@
+name: pulp-service-reviewer
+display_name: Pulp Service Reviewer
+description: Read-only access to pulp/pulp-service with permission to post review comments
+tools:
+  github:
+    rules:
+      - repos: ["pulp/pulp-service"]
+        operations:
+          - clone
+          - read_prs
+          - read_issues
+          - read_contents
+          - read_commits
+          - read_branches
+          - read_git
+          - create_comment
diff --git a/.alcove/tasks/reviewer.yml b/.alcove/tasks/reviewer.yml
index ffd8bcec..7b80dae6 100644
--- a/.alcove/tasks/reviewer.yml
+++ b/.alcove/tasks/reviewer.yml
@@ -27,4 +27,4 @@ outputs:
   - comments
 
 profiles:
-  - pulp-service-contributor
+  - pulp-service-reviewer