diff --git a/.changeset/nine-grapes-promise.md b/.changeset/nine-grapes-promise.md
new file mode 100644
index 00000000000..a845151cc84
--- /dev/null
+++ b/.changeset/nine-grapes-promise.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6579f700794..80a205af864 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,7 +2,8 @@ name: CI
 
 on:
   merge_group:
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize]
     branches:
       - main
       - release/v4
@@ -12,7 +13,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  # Check triggering actor permissions to prevent PRs from forks accessing secrets by default, preventing them from exfiltrating secrets for malicious purposes
+  # Check triggering actor permissions to prevent PRs from forks accessing secrets by default, preventing them from accessing secrets for malicious purposes
   check-permissions:
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     steps:
@@ -47,6 +48,7 @@ jobs:
         with:
           fetch-depth: 0
           show-progress: false
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup
         id: config
@@ -118,6 +120,7 @@ jobs:
         with:
           fetch-depth: 0
           show-progress: false
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup
         id: config
@@ -179,6 +182,7 @@ jobs:
         with:
           fetch-depth: 0
           show-progress: false
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup
         id: config