diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml
index 9b0b35118a..251d17c4b5 100644
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -29,6 +29,7 @@ jobs:
 
     permissions:
       contents: write # needed to create tags and push commits
+      pull-requests: write
 
     steps:
       - name: Dump environment
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 134e822793..941fe13ff0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 3.28.6 - 27 Jan 2025
+
 - Re-enable debug artifact upload for CLI versions 2.20.3 or greater. [#2726](https://github.com/github/codeql-action/pull/2726)
 
 ## 3.28.5 - 24 Jan 2025
diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json
index 1f1c8a4a58..7d51a675c2 100644
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.28.6",
+  "version": "3.28.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
diff --git a/package-lock.json b/package-lock.json
index b34e41be0d..426e158c61 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "3.28.6",
+  "version": "3.28.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "3.28.6",
+      "version": "3.28.7",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^2.1.9",
diff --git a/package.json b/package.json
index df627fc4eb..8b2faf1a60 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.28.6",
+  "version": "3.28.7",
   "private": true,
   "description": "CodeQL action",
   "scripts": {