diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
index 637dcd9957b..3d2ba14a1fd 100644
--- a/.github/workflows/lint-pr.yml
+++ b/.github/workflows/lint-pr.yml
@@ -2,6 +2,10 @@ name: "Lint PR"
 
 on:
   pull_request_target:
+    # BE CAREFUL - this event runs in the context of the default branch (`main`) workflow definition in the target
+    #    repository (NOT the fork's context), so it has potentially sensitive access.
+    #    It is critical that this only runs on very limited events and/or access to the repo
+    # Read https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
     types:
       - opened
       - edited
diff --git a/.github/workflows/publish-suppressions.yml b/.github/workflows/publish-suppressions.yml
index 2d5d7d2963a..bc0acf4ddf5 100644
--- a/.github/workflows/publish-suppressions.yml
+++ b/.github/workflows/publish-suppressions.yml
@@ -2,13 +2,21 @@ name: Publish Suppressions
 
 on:
   workflow_dispatch:
-  push:
-    branches:
-      - generatedSuppressions
+  pull_request_target:
+    # BE CAREFUL - this event runs in the context of the default branch (`main`) workflow definition in the target
+    #    repository (NOT the fork's context), so it has potentially sensitive access.
+    #    It is critical that this only runs on very limited events and/or access to the repo
+    # Read https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
+    types: [ closed ]
+    branches: [ generatedSuppressions ]
+    paths: [ generatedSuppressions.xml ]
+
 
 permissions: {}
 jobs:
   update_suppression:
+    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
+
     permissions:
       contents: write # to push changes in repo (jamesives/github-pages-deploy-action)