diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 8b9d8e3..2c49216 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -2,8 +2,15 @@ name: "CLA Assistant"
 on:
   issue_comment:
     types: [created, edited]
-  pull_request:
-    types: [opened,closed,synchronize]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+# Recommended permissions scoping for CLA Assistant
+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
+  statuses: write
 
 jobs:
   CLAssistant:
@@ -31,10 +38,10 @@ jobs:
 
           echo "::add-mask::$ALL_MEMBERS"
           echo "org_members=$ALL_MEMBERS" >> $GITHUB_OUTPUT
-        
+
       - name: "CLA Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request'
-        uses: contributor-assistant/github-action@v2.2.1
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.REPO_SCOPE }}