diff --git a/.github/workflows/openclaw-release-checks.yml b/.github/workflows/openclaw-release-checks.yml
index 1236e38dd49..fff0e57dcca 100644
--- a/.github/workflows/openclaw-release-checks.yml
+++ b/.github/workflows/openclaw-release-checks.yml
@@ -158,6 +158,7 @@ jobs:
   live_and_e2e_release_checks:
     needs: [resolve_target]
     permissions:
+      actions: read
       contents: read
       packages: write
       pull-requests: read
diff --git a/test/scripts/package-acceptance-workflow.test.ts b/test/scripts/package-acceptance-workflow.test.ts
index 7283f5caf54..51352cf9909 100644
--- a/test/scripts/package-acceptance-workflow.test.ts
+++ b/test/scripts/package-acceptance-workflow.test.ts
@@ -105,6 +105,9 @@ describe("package artifact reuse", () => {
     const workflow = readFileSync(RELEASE_CHECKS_WORKFLOW, "utf8");
 
     expect(workflow).toContain("package_acceptance_release_checks:");
+    expect(workflow).toContain(
+      "live_and_e2e_release_checks:\n    needs: [resolve_target]\n    permissions:\n      actions: read",
+    );
     expect(workflow).toContain("uses: ./.github/workflows/package-acceptance.yml");
     expect(workflow).toContain("package_ref: ${{ needs.resolve_target.outputs.ref }}");
     expect(workflow).toContain("suite_profile: package");