diff --git a/.github/workflows/mark-as-draft-on-requesting-changes.yml b/.github/workflows/mark-as-draft-on-requesting-changes.yml
index fd24e135d..0d6bdc3d3 100644
--- a/.github/workflows/mark-as-draft-on-requesting-changes.yml
+++ b/.github/workflows/mark-as-draft-on-requesting-changes.yml
@@ -1,6 +1,11 @@
 name: Mark PR as draft when changes are requested
 
-on:
+# pull_request_target is safe here because:
+# 1. Only uses a pinned trusted action (by SHA)
+# 2. Has minimal permissions
+# 3. Doesn't checkout or execute any untrusted code from PRs
+# 4. Only adds/removes labels or changes the draft status
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types:
       - review_submitted