diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 52e9ec5e2c..0e58e0bf96 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -1,9 +1,14 @@
 # This workflow makes sure contributors don't forget to add a changelog entry or explicitly opt-out of it.
+# 
+# Do not extend this workflow to include checking out the code (e.g. for building and testing purposes) while the pull_request_target trigger is used.
+# Instead, see use of workflow_run in https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
 
 name: Changelog
 
 on:
-  pull_request:
+  # The pull_request_target trigger event allows PRs raised from forks to have write permissions and access secrets.
+  # We uses it in this workflow to enable writing comments to the PR.
+  pull_request_target:
     types:
       - opened
       - ready_for_review
@@ -12,9 +17,9 @@ on:
       - labeled
       - unlabeled
 
-# This workflow runs for not-yet-reviewed external contributions and so it
-# intentionally has no write access and only limited read access to the
-# repository.
+# This workflow runs for not-yet-reviewed external contributions.
+# Following a pull_request_target trigger the workflow would have write permissions,
+# so we intentionally restrict the permissions to only include write access on pull-requests.
 permissions:
   contents: read
   pull-requests: write
@@ -155,4 +160,4 @@ jobs:
             }
 
             // Nothing to complain about, so delete any existing comment
-            await createOrUpdateChangelogComment("", true);
\ No newline at end of file
+            await createOrUpdateChangelogComment("", true);