diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 1f8b2b906..b88d675b9 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -10,14 +10,13 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+      contents: write
+      statuses: write
+
     steps:
       - uses: actions/checkout@v3
-      - name: Get auth token
-        id: token
-        uses: getsentry/action-github-app-token@v2.0.0
-        with:
-          app_id: ${{ secrets.SENTRY_INTERNAL_APP_ID }}
-          private_key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }}
       - name: Get changed files
         id: changes
         uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
@@ -40,14 +39,25 @@ jobs:
           pre-commit install
 
       - name: Run pre-commit on PR commits
+        id: pre-commit_results
+        continue-on-error: true
         run: |
           jq '.[]' --raw-output <<< '${{steps.changes.outputs.all_files}}' |
             # Run pre-commit to lint and format check files that were changed (but not deleted) compared to master.
             xargs pre-commit run --files
 
+      - name: Get auth token
+        id: token
+        if: ${{ steps.pre-commit_results.outcome == 'failure' }}
+        uses: getsentry/action-github-app-token@v3.0.0
+        with:
+          app_id: ${{ vars.SENTRY_INTERNAL_APP_ID }}
+          private_key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }}
+
       - name: Apply any pre-commit fixed files
+        if: ${{ steps.pre-commit_results.outcome == 'failure' }}
         # note: this runs "always" or else it's skipped when pre-commit fails
-        uses: getsentry/action-github-commit@31f6706ca1a7b9ad6d22c1b07bf3a92eabb05632 # v2.0.0
+        uses: getsentry/action-github-commit@v2.1.0
         with:
           github-token: ${{ steps.token.outputs.token }}
           message: ':hammer_and_wrench: apply pre-commit fixes'