diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e1044f51f..984ff6ac3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,12 +1,17 @@
 name: CI
 
+# Run on pull_request_target to access secrets.GRADLE_ENCRYPTION_KEY,
+# and ensure permissions are marked read-only
+
 on:
   push:
     tags:
       - '*'
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   build:
     strategy: