diff --git a/.github/actions/setup-tools/action.yml b/.github/actions/setup-tools/action.yml
index 0723692..0a9227f 100644
--- a/.github/actions/setup-tools/action.yml
+++ b/.github/actions/setup-tools/action.yml
@@ -8,6 +8,8 @@ runs:
       uses: catchpoint/workflow-telemetry-action@v2
       with:
         comment_on_pr: false
+      env:
+        GITHUB_TOKEN: ""
 
     - name: Setup mise
       uses: jdx/mise-action@v2
diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml
index df0d576..573b482 100644
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -66,7 +66,11 @@ jobs:
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
-    name: prerequisites
+    permissions:
+      contents: read
+      id-token: write
+      actions: write # For telemetry.
+      pull-requests: write # For schema comment.
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
@@ -176,6 +180,10 @@ jobs:
 
   test:
     runs-on: pulumi-ubuntu-8core
+    permissions:
+      contents: read
+      id-token: write
+      actions: write # For telemetry.
     needs:
       - prerequisites
     strategy:
@@ -187,10 +195,6 @@ jobs:
           - dotnet
           - go
           - java
-    name: test
-    permissions:
-      contents: read
-      id-token: write
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
@@ -286,6 +290,10 @@ jobs:
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      actions: write # For telemetry.
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4