diff --git a/.github/workflows/preview-env-dispatch.yaml b/.github/workflows/preview-env-dispatch.yaml
index 4dc32652a..0316729e8 100644
--- a/.github/workflows/preview-env-dispatch.yaml
+++ b/.github/workflows/preview-env-dispatch.yaml
@@ -1,13 +1,20 @@
 name: 'Preview Environment Dispatch'
 
 on:
-  pull_request:
+  # Using pull_request_target instead of pull_request to have access to secrets for external contributors
+  # Security note: This is safe because we're only using the repository-dispatch action with limited scope
+  # and not checking out or running any code from the external contributor's PR
+  pull_request_target:
     types: [opened, synchronize, reopened, labeled]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   changed-files-check:
     uses: ./.github/workflows/changed-files.yaml