From 18b20b2acd7dfc632911b46f2f295d6a4b129448 Mon Sep 17 00:00:00 2001
From: Rowan Cockett <rowanc1@gmail.com>
Date: Wed, 24 Apr 2024 11:21:28 -0600
Subject: [PATCH] Change security of pull request branches

---
 .github/workflows/publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d32736bb69..871d71fd21 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,6 +1,6 @@
 name: curvenote
 on:
-  pull_request:
+  pull_request_target:
     branches: ['2024']
 permissions:
   contents: read
@@ -18,6 +18,7 @@ jobs:
       collection: '2024'
       kind: Article
       path: papers/*
+      ref: ${{ github.event.pull_request.head.sha }}
     secrets:
       CURVENOTE: ${{ secrets.CURVENOTE_TOKEN }}
       GITHUB: ${{ secrets.GITHUB_TOKEN }}