Workflow runs on pull request but not pull request target

I understand that the pull_request_target event behaves in an almost identical way to the pull_request event. However, when I push a commit to a PR, my workflow only runs on pull_request and does not run on pull_request_target. Shouldn’t the workflow run on either of those events? Does pull_request_target already need to be on the default branch in order to run the workflow when a pull request is made?

on:
  pull_request_target:
    types: [opened, synchronize]

Does pull_request_target already need to be on the default branch in order to run the workflow when a pull request is made?

Indeed, it does. With pull_request_target, the checkout action won’t checkout the code of the head branch but of the base branch. This is for security reasons. It would be possible to do an explicit checkout to run the head branch code, but that is not safe. See this article:

1 Like