diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 349041f..fb6493d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,6 +19,7 @@ jobs:
       # required by aws-actions/configure-aws-credentials
       id-token: write
       contents: read
+      pull-requests: write # required by guardian/actions-riff-raff
     steps:
       - uses: actions/checkout@v4
 
@@ -45,9 +46,11 @@ jobs:
         run: ./scripts/ci.sh
 
       - name: Upload to riff-raff
-        uses: guardian/actions-riff-raff@v2
+        uses: guardian/actions-riff-raff@v3
         with:
           app: snyk-tag-monitor
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          commentingStage: INFRA
           projectName: security::snyk-tag-monitor
           configPath: cdk/cdk.out/riff-raff.yaml
           contentDirectories: |