diff --git a/.github/workflows/add-labels.yml b/.github/workflows/add-labels.yml
index e0452a5631c..cae26b876b4 100644
--- a/.github/workflows/add-labels.yml
+++ b/.github/workflows/add-labels.yml
@@ -3,7 +3,7 @@ on:
   issues:
     types: [ opened ]
 
-  pull_request:
+  pull_request_target:
     branches: [ 'main*' ]
 
 permissions:
@@ -33,13 +33,15 @@ jobs:
           ISSUE_BODY: ${{ github.event.issue.body }}
 
   add-labels-on-pull-requests:
-    if: github.event_name == 'pull_request'
+    if: github.event_name == 'pull_request_target'
 
     runs-on: ubuntu-latest
 
     steps:
       - name: check out code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.repository.default_branch }} # Note: Do not run on the PR branch we want to execute add-labels.psm1 from main on the base repo only because pull_request_target can see secrets
 
       - name: Add labels for files changed on pull requests
         shell: pwsh