diff --git a/.github/workflows/pr_labeler.yml b/.github/workflows/pr_labeler.yml
index 50edec08cc9..0870f1673de 100644
--- a/.github/workflows/pr_labeler.yml
+++ b/.github/workflows/pr_labeler.yml
@@ -27,7 +27,8 @@ name: "🏷️ PR Labeler"
 
 on:
   # Safe since we're not checking out or running the PR's code.
-  # Never check out the PR's head in a pull_request_target job.
+  # NEVER CHECK OUT UNTRUSTED CODE FROM A PR's HEAD IN A pull_request_target JOB.
+  # Doing so would allow attackers to execute arbitrary code in the context of your repository.
   pull_request_target:
     types: [opened, synchronize, reopened, edited]
 
diff --git a/.github/workflows/require_issue_link.yml b/.github/workflows/require_issue_link.yml
index 5f43033aca4..cb300e8f72b 100644
--- a/.github/workflows/require_issue_link.yml
+++ b/.github/workflows/require_issue_link.yml
@@ -13,6 +13,8 @@ name: Require Issue Link
 
 on:
   pull_request_target:
+    # NEVER CHECK OUT UNTRUSTED CODE FROM A PR's HEAD IN A pull_request_target JOB.
+    # Doing so would allow attackers to execute arbitrary code in the context of your repository.
     types: [edited, reopened, labeled, unlabeled]
 
 # ──────────────────────────────────────────────────────────────────────────────