diff --git a/native-provider-ci/providers/aws-native/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/aws-native/repo/.github/workflows/run-acceptance-tests.yml
index ee4b4d1ff..dcc075f82 100644
--- a/native-provider-ci/providers/aws-native/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/aws-native/repo/.github/workflows/run-acceptance-tests.yml
@@ -393,7 +393,10 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
diff --git a/native-provider-ci/providers/command/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/command/repo/.github/workflows/run-acceptance-tests.yml
index 0b450140d..eb79b83a8 100644
--- a/native-provider-ci/providers/command/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/command/repo/.github/workflows/run-acceptance-tests.yml
@@ -353,10 +353,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/providers/docker-build/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/docker-build/repo/.github/workflows/run-acceptance-tests.yml
index 2cc11158c..e9e1b84e2 100644
--- a/native-provider-ci/providers/docker-build/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/docker-build/repo/.github/workflows/run-acceptance-tests.yml
@@ -409,10 +409,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/providers/google-native/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/google-native/repo/.github/workflows/run-acceptance-tests.yml
index ec06f9b6e..3ebb05ef5 100644
--- a/native-provider-ci/providers/google-native/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/google-native/repo/.github/workflows/run-acceptance-tests.yml
@@ -396,7 +396,10 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
diff --git a/native-provider-ci/providers/kubernetes-cert-manager/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/kubernetes-cert-manager/repo/.github/workflows/run-acceptance-tests.yml
index 06792a221..b7a977930 100644
--- a/native-provider-ci/providers/kubernetes-cert-manager/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/kubernetes-cert-manager/repo/.github/workflows/run-acceptance-tests.yml
@@ -390,10 +390,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/providers/kubernetes-ingress-nginx/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/kubernetes-ingress-nginx/repo/.github/workflows/run-acceptance-tests.yml
index 92768120e..5522c1ce6 100644
--- a/native-provider-ci/providers/kubernetes-ingress-nginx/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/kubernetes-ingress-nginx/repo/.github/workflows/run-acceptance-tests.yml
@@ -390,10 +390,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/providers/kubernetes/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/kubernetes/repo/.github/workflows/run-acceptance-tests.yml
index 50342591b..1474cefa6 100644
--- a/native-provider-ci/providers/kubernetes/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/kubernetes/repo/.github/workflows/run-acceptance-tests.yml
@@ -425,10 +425,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/src/workflows.ts b/native-provider-ci/src/workflows.ts
index 83f41aeaa..493932238 100644
--- a/native-provider-ci/src/workflows.ts
+++ b/native-provider-ci/src/workflows.ts
@@ -144,6 +144,7 @@ export function RunAcceptanceTestsWorkflow(
         .addRunsOn(opts.provider),
       test: new TestsJob(name, "test", opts).addDispatchConditional(true),
       sentinel: new EmptyJob("sentinel")
+        .addPermissions({ statuses: "write" })
         .addConditional(
           "github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository"
         )
@@ -164,7 +165,7 @@ function calculateSentinelNeeds(
   requiresLint: boolean,
   provider: string
 ): string[] {
-  const needs: string[] = ["test"];
+  const needs: string[] = ["test", "prerequisites"];
 
   if (requiresLint) {
     needs.push("lint");
@@ -1009,6 +1010,7 @@ export class EmptyJob implements NormalJob {
   name: string;
   if?: string;
   needs?: string[];
+  permissions?: any;
 
   constructor(name: string, params?: Partial<NormalJob>) {
     this.name = name;
@@ -1035,4 +1037,9 @@ export class EmptyJob implements NormalJob {
     this.needs = name;
     return this;
   }
+
+  addPermissions(permissions: any) {
+    this.permissions = permissions;
+    return this;
+  }
 }