diff --git a/torchci/lib/bot/ciflowPushTrigger.ts b/torchci/lib/bot/ciflowPushTrigger.ts
index a52905cadd..ca8b03b332 100644
--- a/torchci/lib/bot/ciflowPushTrigger.ts
+++ b/torchci/lib/bot/ciflowPushTrigger.ts
@@ -1,4 +1,5 @@
 import { Context, Probot } from "probot";
+import { canRunWorkflows } from "./autoLabelBot";
 import {
   CachedConfigTracker,
   hasApprovedPullRuns,
@@ -89,6 +90,11 @@ async function handleSyncEvent(
 ) {
   context.log.debug("START Processing sync event");
 
+  if (!(await canRunWorkflows(context as any))) {
+    context.log.info("PR does not have permissions to run workflows");
+    return;
+  }
+
   const headSha = payload.pull_request.head.sha;
   const tags = getAllPRTags(context, payload);
   const promises = tags.map(
diff --git a/torchci/test/ciflow-push-trigger.test.ts b/torchci/test/ciflow-push-trigger.test.ts
index 1e3b7efc67..790805608e 100644
--- a/torchci/test/ciflow-push-trigger.test.ts
+++ b/torchci/test/ciflow-push-trigger.test.ts
@@ -1,6 +1,11 @@
 import ciflowPushTrigger from "lib/bot/ciflowPushTrigger";
 import nock from "nock";
 import { Probot, ProbotOctokit } from "probot";
+import {
+  mockApprovedWorkflowRuns,
+  mockHasApprovedWorkflowRun,
+  mockPermissions,
+} from "./utils";
 
 nock.disableNetConnect();
 
@@ -179,6 +184,8 @@ describe("Push trigger integration tests", () => {
       "ciflow/1",
     ];
 
+    mockHasApprovedWorkflowRun(payload.repository.full_name);
+
     for (const label of labels) {
       nock("https://api.github.com")
         .get(
@@ -219,6 +226,21 @@ describe("Push trigger integration tests", () => {
     await probot.receive({ name: "pull_request", id: "123", payload });
   });
 
+  test("synchronization of PR requires permissions", async () => {
+    const payload = require("./fixtures/push-trigger/pull_request.synchronize");
+    mockApprovedWorkflowRuns(
+      payload.repository.full_name,
+      payload.pull_request.head.sha,
+      false
+    );
+    mockPermissions(
+      payload.repository.full_name,
+      payload.pull_request.user.login,
+      "read"
+    );
+    await probot.receive({ name: "pull_request", id: "123", payload });
+  });
+
   test("closure of PR should cause all tags to be removed", async () => {
     const payload = require("./fixtures/push-trigger/pull_request.closed");
     const prNum = payload.pull_request.number;