diff --git a/.github/workflows/compose-image-guard.yml b/.github/workflows/compose-image-guard.yml
index 8a5d406..5c5113c 100644
--- a/.github/workflows/compose-image-guard.yml
+++ b/.github/workflows/compose-image-guard.yml
@@ -14,6 +14,10 @@ on:
       - '.github/workflows/compose-image-guard.yml'
       - '.github/scripts/ensure_compose_image.py'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   validate-compose-image:
     runs-on: ubuntu-latest
@@ -31,6 +35,12 @@ jobs:
           python -m pip install --upgrade pip
           pip install pyyaml
 
-      - name: Validate docker-compose image
-        run: |
-          python .github/scripts/ensure_compose_image.py docker-compose.yaml --autocommit
\ No newline at end of file
+      # On pushes to this repo: normalize and push
+      - name: Validate and normalize (auto-commit on push)
+        if: github.event_name == 'push' && github.repository == 'Xoconoch/spotizerr'
+        run: python .github/scripts/ensure_compose_image.py docker-compose.yaml --autocommit
+
+      # On PRs (including forks): validate only, no push
+      - name: Validate (no auto-commit on PR)
+        if: github.event_name != 'push' || github.repository != 'Xoconoch/spotizerr'
+        run: python .github/scripts/ensure_compose_image.py docker-compose.yaml
\ No newline at end of file