diff --git a/.github/scripts/upsert-release-pr.sh b/.github/scripts/upsert-release-pr.sh
index 3245fa9..151bca1 100644
--- a/.github/scripts/upsert-release-pr.sh
+++ b/.github/scripts/upsert-release-pr.sh
@@ -38,5 +38,3 @@ else
     --title "chore(release): ${release_version}" \
     --body-file "${body_file}"
 fi
-
-gh issue comment "${ISSUE_NUMBER}" --body "Prepared release PR for ${tag_name} targeting ${target_branch}."
diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
index 8852d2e..e3f1347 100644
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -38,6 +38,7 @@ jobs:
           private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: ${{ github.event.repository.name }}
+          permission-contents: write
 
       - name: Create branch
         env:
diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml
index cb31a28..890abc4 100644
--- a/.github/workflows/release-prepare.yml
+++ b/.github/workflows/release-prepare.yml
@@ -49,6 +49,8 @@ jobs:
           private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: ${{ github.event.repository.name }}
+          permission-contents: write
+          permission-pull-requests: write
 
       - name: Prepare release branch
         id: release
@@ -71,6 +73,12 @@ jobs:
           "${{ steps.release.outputs.tag_name }}" \
           2>&1 | tee -a "${RUNNER_TEMP}/release-prepare.log"
 
+      - name: Comment on prepared release
+        run: >
+          gh issue comment "${ISSUE_NUMBER}"
+          --body "Prepared release PR for ${{ steps.release.outputs.tag_name }}
+          targeting ${{ steps.release.outputs.target_branch }}."
+
       - name: Comment on failure
         if: failure()
         env:
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index ab2f135..c7f0622 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -41,6 +41,7 @@ jobs:
           private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: ${{ github.event.repository.name }}
+          permission-contents: write
 
       - name: Publish release
         env: