diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml
index a5ccd57f7f..b0b62976c5 100644
--- a/.github/workflows/prerequisites.yml
+++ b/.github/workflows/prerequisites.yml
@@ -90,7 +90,7 @@ jobs:
         EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
         {
           echo "SCHEMA_CHANGES<<$EOF";
-          schema-tools compare -p azure -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-azure/schema.json;
+          schema-tools compare -r github://api.github.com/pulumi -p azure -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-azure/schema.json;
           echo "$EOF";
         } >> "$GITHUB_ENV"
     - if: inputs.is_pr && inputs.is_automated == false
diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml
index 000a12ae6d..4bf8657bca 100644
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -45,6 +45,8 @@ jobs:
   prerequisites:
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      pull-requests: write
     uses: ./.github/workflows/prerequisites.yml
     secrets: inherit
     with:
@@ -96,6 +98,8 @@ jobs:
     name: sentinel
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      statuses: write
     needs:
     - test
     - build_provider