diff --git a/.github/workflows/trigger-merge-checks.yml b/.github/workflows/trigger-merge-checks.yml
index 7d372d919a..537a3b22c7 100644
--- a/.github/workflows/trigger-merge-checks.yml
+++ b/.github/workflows/trigger-merge-checks.yml
@@ -5,6 +5,10 @@ on:
     branches: [ master ]
     types: [synchronize, opened, reopened, labeled, unlabeled]
 
+permissions:
+  actions: write
+  checks: read
+
 jobs:
   check-design-approved:
     name: Check Design Approved Status
@@ -16,7 +20,7 @@ jobs:
           curl -sSL --fail-with-body \
             -X POST \
             -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.NITRO_CI_HELPER_WORKFLOWS }}" \
+            -H "Authorization: Bearer $GITHUB_TOKEN" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
             https://api.github.com/repos/$GITHUB_REPOSITORY/actions/workflows/merge-checks.yml/dispatches \
             -d '{"ref":"$GITHUB_BASE_REF"}'
@@ -26,7 +30,7 @@ jobs:
           set -x pipefail
           if curl -sSL --fail-with-body \
               -H "Accept: application/vnd.github+json" \
-              -H "Authorization: Bearer ${{ secrets.NITRO_CI_HELPER_RO }}" \
+              -H "Authorization: Bearer $GITHUB_TOKEN" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
               https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/check-runs \
             | jq -e '.check_runs | .[] | select(.name == "Design Approved Check")' >/dev/null
@@ -35,7 +39,7 @@ jobs:
             curl -sSL --fail-with-body \
               -X POST \
               -H "Accept: application/vnd.github+json" \
-              -H "Authorization: Bearer ${{ secrets.NITRO_CI_HELPER_WORKFLOWS }}" \
+              -H "Authorization: Bearer $GITHUB_TOKEN" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
               https://api.github.com/repos/$GITHUB_REPOSITORY/actions/workflows/merge-checks.yml/dispatches \
               -d '{"ref":"$GITHUB_BASE_REF"}'