diff --git a/CHANGELOG.md b/CHANGELOG.md
index a711de466d4..e2efab0d423 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,3 +4,4 @@
     that this is a preview feature and if you find any bugs, please file them
     here: <https://github.com/firebase/firebase-tools/issues>.
 - Improve FAH onboarding flow to connect backends with SCMs (#6764).
+- Fixed issue where GitHub actions would fail due to lack of permission. (#6791)
diff --git a/src/init/features/hosting/github.ts b/src/init/features/hosting/github.ts
index 9508ad1f659..421fb5faf40 100644
--- a/src/init/features/hosting/github.ts
+++ b/src/init/features/hosting/github.ts
@@ -277,6 +277,7 @@ function mkdirNotExists(dir: string): void {
 type GitHubWorkflowConfig = {
   name: string;
   on: string | { [key: string]: { [key: string]: string[] } };
+  permissions?: string | { [key: string]: string };
   jobs: {
     [key: string]: {
       if?: string;
@@ -300,6 +301,11 @@ function writeChannelActionYMLFile(
   const workflowConfig: GitHubWorkflowConfig = {
     name: "Deploy to Firebase Hosting on PR",
     on: "pull_request",
+    permissions: {
+      checks: "write",
+      contents: "read",
+      "pull-requests": "write",
+    },
     jobs: {
       ["build_and_preview"]: {
         if: "${{ github.event.pull_request.head.repo.full_name == github.repository }}", // secrets aren't accessible on PRs from forks