diff --git a/.github/workflows/update_coverage.yml b/.github/workflows/update_coverage.yml
index 12f97a209d4..9c1446b8ce7 100644
--- a/.github/workflows/update_coverage.yml
+++ b/.github/workflows/update_coverage.yml
@@ -2,15 +2,16 @@ name: Update rule coverage
 on:
   schedule:
     - cron: '17 2 * * *'
-  workflow_dispatch:
+  workflow_dispatch: # When manually triggered from a non-default branch, the results will not be pushed
 
 jobs:
   update_coverage:
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
+      id-token: write # required by SonarSource/vault-action-wrapper
       contents: write
-      checks: read
+      checks: read # required by fountainhead/action-wait-for-check
+      actions: write # required by andymckay/cancel-action
     env:
       TMP_BRANCH: temporary/coverage_update
 
@@ -86,7 +87,8 @@ jobs:
     - name: 'Push the updated coverage to master'
       if: |
         steps.gen-coverage.outputs.new_coverage == 'true' &&
-        steps.wait-for-build.outputs.conclusion == 'success'
+        steps.wait-for-build.outputs.conclusion == 'success' &&
+        (github.event_name != 'workflow_dispatch' || github.ref_name == ${{ github.event.repository.default_branch }})
       working-directory: 'rspec'
       run: |
         git checkout master