From de3984c24b4d5e3933a4a548bfa8502bdfab03b4 Mon Sep 17 00:00:00 2001
From: Frank Elsinga <frank@elsinga.de>
Date: Sun, 11 Jan 2026 04:53:25 +0100
Subject: [PATCH] Update .github/workflows/new_contributor_pr.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/new_contributor_pr.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/new_contributor_pr.yml b/.github/workflows/new_contributor_pr.yml
index 168cae1b2..cad5bc59e 100644
--- a/.github/workflows/new_contributor_pr.yml
+++ b/.github/workflows/new_contributor_pr.yml
@@ -1,6 +1,10 @@
 name: New contributor message
 
 on:
+  # Safety
+  # This workflow uses pull_request_target so it can run with write permissions on first-time contributor PRs.
+  # It is safe because it does not check out or execute any code from the pull request and
+  # only uses the pinned, trusted actions/first-interaction action
   pull_request_target:
     types: [opened]
     branches: