diff --git a/.github/workflows/claude-documentation-reviewer.yml b/.github/workflows/claude-documentation-reviewer.yml
index e2b7a08253..71f34f2f70 100644
--- a/.github/workflows/claude-documentation-reviewer.yml
+++ b/.github/workflows/claude-documentation-reviewer.yml
@@ -1,7 +1,7 @@
 name: Documentation Reviewer
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, edited, reopened, synchronize]
     paths:
       - '**.md'
@@ -23,8 +23,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          # Ensures the action checks out the PR branch instead of main
-          ref: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+          # Use head SHA (not branch ref) to prevent TOCTOU attacks from forks
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
           fetch-depth: 0 # Need full history to compare with base branch
 
       - name: Get changed markdown files