diff --git a/.github/workflows/contribution-message.yml b/.github/workflows/contribution-message.yml
index d1b7072..35ef613 100644
--- a/.github/workflows/contribution-message.yml
+++ b/.github/workflows/contribution-message.yml
@@ -1,16 +1,17 @@
 name: Post contribution message in pull request
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, reopened]
 
 permissions:
-  contents: write
+  # Only scope GITHUB_TOKEN to write for pull requests, others set to none (by default) for security reasons since we are using pull_request_target trigger
   pull-requests: write
 
 jobs:
   post_contribution_message:
     runs-on: ubuntu-latest
     steps:
+      # DO NOT CHECKOUT TO HEAD UNSAFE (will checkout to head of the fork for pull_request_target trigger)
       - name: Checkout repository
         uses: actions/checkout@v6