diff --git a/.github/workflows/open_cts_issue.yml b/.github/workflows/open_cts_issue.yml
index cc8abc9f..37b142a1 100644
--- a/.github/workflows/open_cts_issue.yml
+++ b/.github/workflows/open_cts_issue.yml
@@ -1,5 +1,15 @@
 name: Open CTS issue for spec changes
-on: pull_request
+on:
+  # We use the pull_request_target trigger to always run the workflow in the context of the base branch,
+  # since this allows us to access repository secrets even if the PR originates from a fork.
+  #
+  # Importantly, the workflow must not checkout any code from the PR branch, as this could allow an attacker
+  # to gain write access to the repository.
+  # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for more information.
+  pull_request_target:
+    types: opened
+    paths:
+      - 'adoc/**'
 jobs:
   create-issue:
     runs-on: ubuntu-latest