diff --git a/.github/workflows/notify-team-to-review-pr.yml b/.github/workflows/notify-team-to-review-pr.yml
index 707c6d5b57..73217e72ea 100644
--- a/.github/workflows/notify-team-to-review-pr.yml
+++ b/.github/workflows/notify-team-to-review-pr.yml
@@ -1,7 +1,9 @@
 ---
 name: Add Review Requested Label
 on:  # yamllint disable-line rule:truthy
-  pull_request:
+  # the regular `secrets.GITHUB_TOKEN` with `on: pull_request` results in a 403 error
+  #  HttpError: Resource not accessible by integration
+  pull_request_target:
     types: [opened]
 
 permissions:
@@ -14,9 +16,13 @@ jobs:
     if: contains(github.event.pull_request.labels.*.name, 'konflux-nudge') == false
     runs-on: ubuntu-latest
     steps:
+
+      # SECURITY: never clone untrusted code in pull_request_target workflows
+
       - name: Add review-requested label
         uses: actions/github-script@v7
         with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           # language=javascript
           script: |
             await github.rest.issues.addLabels({