diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index c4419feb..e3ff5e4f 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -1,6 +1,7 @@
 name: Draft release
 
 on:
+  pull_request_target:
   push:
     branches:
     - main
@@ -13,11 +14,15 @@ jobs:
   release-drafter:
     name: Draft release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
     - name: Draft release
       uses: release-drafter/release-drafter@v6
       with:
         disable-releaser: github.ref != 'refs/heads/main'
         config-name: release-drafter.yml
+        commitish: main
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index 31f13427..99da8c5b 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -9,16 +9,15 @@ on:
     - main
     tags:
     - v*
-  pull_request:
-
-permissions:
-  contents: read
-  packages: write
+  pull_request_target:
 
 jobs:
   publish-docker:
     name: Build and publish Docker image
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
     - name: Check out repository
       uses: actions/checkout@v4