diff --git a/.github/workflows/bot-ci-failure.yml b/.github/workflows/bot-ci-failure.yml
index 17f32eb97..3ce77998b 100644
--- a/.github/workflows/bot-ci-failure.yml
+++ b/.github/workflows/bot-ci-failure.yml
@@ -7,7 +7,7 @@ on:
       - completed
 
 permissions:
-  pull-requests: write
+  pull-requests: read
   actions: read
   contents: read
 
@@ -18,7 +18,7 @@ concurrency:
 jobs:
   find-pr:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
+    if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.event == 'pull_request' }}
     outputs:
       pr_number: ${{ steps.pr.outputs.number }}
       pr_author: ${{ steps.pr.outputs.author }}
@@ -69,6 +69,10 @@ jobs:
   call-ci-failure-bot:
     needs: find-pr
     if: ${{ needs.find-pr.outputs.pr_number != '' }}
+    permissions:
+      pull-requests: write
+      actions: write
+      contents: read
     uses: openwisp/openwisp-utils/.github/workflows/reusable-bot-ci-failure.yml@master
     with:
       pr_number: ${{ needs.find-pr.outputs.pr_number }}