diff --git a/.github/workflows/gitspiegel-trigger.yml b/.github/workflows/gitspiegel-trigger.yml
index 59347fad6d..b338f7a3f6 100644
--- a/.github/workflows/gitspiegel-trigger.yml
+++ b/.github/workflows/gitspiegel-trigger.yml
@@ -13,8 +13,19 @@ on:
       - unlocked
       - ready_for_review
       - reopened
+  # the job doesn't check out any code, so it is relatively safe to run it on any event
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - unlocked
+      - ready_for_review
+      - reopened
   merge_group:
 
+# drop all permissions for GITHUB_TOKEN
+permissions: {}
+
 jobs:
   sync:
     runs-on: ubuntu-latest