diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 9e7f696..b11f1d4 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -2,7 +2,11 @@
 name: Dependabot Auto Merge
 
 on:
-  pull_request:
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+  # could and should work, at least for public repos;
+  # tracking issue for this action's issue:
+  # https://github.com/ahmadnassri/action-dependabot-auto-merge/issues/60
+  pull_request_target:
 
 jobs:
   auto-merge:
@@ -13,5 +17,6 @@ jobs:
         with:
           target: patch
           # Note: This needs to be a PAT with (public) repo rights,
-          #       user needs to have access to this repo
+          #       PAT-owning user needs to have write access to this repo
+          #       (dependabot needs to recognize the comment as coming from an allowed reviewer)
           github-token: ${{ secrets.BOT_TOKEN }}