diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
index 25e0182..40ff591 100644
--- a/.github/workflows/deploy-preview.yml
+++ b/.github/workflows/deploy-preview.yml
@@ -1,11 +1,15 @@
 name: Vercel Preview Deployment
 
+permissions:
+  contents: read        # For repository checkout
+  pull-requests: write  # For preview URL comments
+
 env:
   VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
   VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
 
 on:
-  pull_request:
+  pull_request_target:
     branches: [ master ]
     types: [opened, synchronize]
   workflow_dispatch:
@@ -24,8 +28,11 @@ jobs:
           username: ${{github.event.pull_request.user.login}}
           token: ${{ secrets.ORG_READ_PAT }}
 
+      # Checkout PR code only after verification
       - name: Checkout Repository
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Install Vercel Command Line Tools
         run: npm install --global vercel@latest
@@ -43,7 +50,7 @@ jobs:
           echo "url=$DEPLOYMENT_URL" >> $GITHUB_OUTPUT
 
       - name: Add Preview URL to Pull Request Comments
-        if: github.event_name == 'pull_request' && success()
+        if: success()
         uses: actions/github-script@v7
         with:
           script: |