diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index e9871360b5..58f0b5a0f5 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -16,9 +16,10 @@
 name: "Pull Request Labeler"
 run-name: Pull request labeler for ${{ github.ref_name }}
 
-on:
-  pull_request:
-    types: [opened]
+# NOTE: security risk from this action.
+# DO NOT add actions in here which need a checkout of the repo, and
+# DO NOT use any caching in here.
+on: pull_request_target
 
 jobs:
   label-pr:
@@ -26,7 +27,9 @@ jobs:
       github.event.pull_request.user.login != 'octobot' &&
       github.event.pull_request.user.login != 'dependabot[bot]'
     permissions:
+      # for actions/labeler to determine modified files
       contents: read
+      # for actions/labeler to add labels to PRs
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
@@ -34,4 +37,5 @@ jobs:
       with:
         configuration-path: .github/pr-labeler-config.yml
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
+        # Remove labels when matching files are reverted
         sync-labels: true