diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
index baedcf9..3cfbbc9 100644
--- a/.github/workflows/apply.yml
+++ b/.github/workflows/apply.yml
@@ -42,6 +42,9 @@ on:
       kosli_api_token:
         description: "Kosli API token. Required when kosli_template_file is set."
         required: false
+      github_token:
+        description: "GitHub token used by `kosli attest pr github` to look up pull requests. Optional; when omitted the pull-request attestation step is skipped."
+        required: false
 
 jobs:
   apply:
@@ -71,6 +74,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: read
     env:
       KOSLI_ORG: ${{ inputs.kosli_org }}
       KOSLI_HOST: ${{ inputs.kosli_host }}
@@ -129,3 +133,10 @@ jobs:
       - name: Kosli attest drift plan
         if: inputs.kosli_template_file != ''
         run: kosli attest artifact /tmp/drift.plan.json --artifact-type file --name drift-plan
+
+      - name: Kosli attest pull request
+        if: inputs.kosli_template_file != '' && secrets.github_token != ''
+        run: |
+          kosli attest pr github \
+            --name pull-request \
+            --github-token ${{ secrets.github_token }}