diff --git a/.github/workflows/claude-code-dependency-review.yml b/.github/workflows/claude-code-dependency-review.yml
index 45ed9ed..b7e6968 100644
--- a/.github/workflows/claude-code-dependency-review.yml
+++ b/.github/workflows/claude-code-dependency-review.yml
@@ -15,6 +15,9 @@ on:
       CLOUD_ML_REGION:
         required: true
         description: GCP region for Vertex AI
+      ACTIONS_APP_PRIVATE_KEY:
+        required: false
+        description: Private key for the GitHub App used to access private repositories
 
 jobs:
   dependency-review:
@@ -24,17 +27,35 @@ jobs:
       contents: read
       pull-requests: write
       id-token: write
+      actions: read
 
     steps:
       - uses: actions/checkout@v6
         with:
+          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
 
+      - name: Generate token for private repositories
+        if: vars.ACTIONS_APP_ID != ''
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Configure git for private repositories
+        if: steps.app-token.outputs.token != ''
+        run: |
+          git config --global url."https://x-access-token:${GIT_ACCESS_TOKEN}@github.com/".insteadOf "https://github.com/"
+        env:
+          GIT_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+
       - name: Install dependencies
         id: install-deps
         if: hashFiles('yarn.lock') != ''
         continue-on-error: true
-        run: yarn install --frozen-lockfile
+        run: yarn install --frozen-lockfile --ignore-scripts
 
       - name: Warn on failed dependency install
         if: steps.install-deps.outcome == 'failure'
@@ -51,10 +72,14 @@ jobs:
         continue-on-error: true
         uses: anthropics/claude-code-action@v1
         with:
-          github_token: ${{ github.token }}
           use_vertex: "true"
-          plugin_marketplaces: https://github.com/scality/agent-hub
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          allowed_bots: "dependabot[bot]"
+          plugin_marketplaces: https://github.com/scality/agent-hub.git
           plugins: scality-skills@scality-agent-hub
+          # additional_permissions: |
+          #   actions: read
+          #   pull-requests: write
           prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"
           claude_args: |
             --allowedTools "Read" "Grep" "WebFetch" "Bash(gh repo view *)" "Bash(gh pr view *)" "Bash(gh pr comment *)" "Bash(gh pr review *)" "Bash(gh api *)"