diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml
index 6cc0e80f..77dd32b5 100644
--- a/.github/workflows/prerequisites.yml
+++ b/.github/workflows/prerequisites.yml
@@ -91,7 +91,7 @@ jobs:
         EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
         {
           echo "SCHEMA_CHANGES<<$EOF";
-          schema-tools compare -p docker -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-docker/schema.json;
+          schema-tools compare -r github://api.github.com/pulumi -p docker -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-docker/schema.json;
           echo "$EOF";
         } >> "$GITHUB_ENV"
     - if: inputs.is_pr && inputs.is_automated == false
diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml
index 44039b33..0c531a8a 100644
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -53,6 +53,8 @@ jobs:
   prerequisites:
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      pull-requests: write
     uses: ./.github/workflows/prerequisites.yml
     secrets: inherit
     with:
@@ -104,6 +106,8 @@ jobs:
     name: sentinel
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      statuses: write
     needs:
     - test
     - build_provider