diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index ebd1bc3b5..b317df058 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -23,6 +23,7 @@ jobs:
       version-commit-callback-action-path: .github/actions/prepare-release
     permissions:
       id-token: write
+      pull-requests: write # required until https://github.com/gardener/cc-utils/pull/1529 is merged
 
   oci-images:
     name: Build OCI-Images
diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml
index e801600e9..158a54fc9 100644
--- a/.github/workflows/non-release.yaml
+++ b/.github/workflows/non-release.yaml
@@ -31,6 +31,7 @@ jobs:
       contents: read
       packages: write
       id-token: write
+      pull-requests: write
 
   component-descriptor:
     if: ${{ github.event_name != 'pull_request_target' || (github.event_name == 'pull_request_target' && github.event.label.name == vars.DEFAULT_LABEL_OK_TO_TEST && vars.DEFAULT_LABEL_OK_TO_TEST != '') }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 45124985f..1600c64b6 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -28,6 +28,7 @@ jobs:
       contents: read
       packages: write
       id-token: write
+      pull-requests: write
     with:
       mode: release
       release-version: ${{ inputs.release-version }}