diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4bb529a448..ab6ad4d76d 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -205,35 +205,3 @@ jobs:
             > {{ provided }}
             > ```
             > You'll need to add one before this PR can be merged.
-
-  pr-size-labeler:
-    name: PR Size Labeler
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: PR Size Labeler
-        uses: ./.github/actions/pr-sizer
-        with:
-          xs_label: "size/xs"
-          xs_max_size: "10"
-          s_label: "size/s"
-          s_max_size: "100"
-          m_label: "size/m"
-          m_max_size: "500"
-          l_label: "size/l"
-          l_max_size: "1000"
-          xl_label: "size/xl"
-          fail_if_xl: "false"
-          files_to_ignore: |
-            package-lock.json
-            yarn.lock
-            go.sum
-          ignore_line_deletions: "false"
-          ignore_file_deletions: "false"
diff --git a/.github/workflows/pr-size-labeler.yml b/.github/workflows/pr-size-labeler.yml
new file mode 100644
index 0000000000..b9dc5ad49b
--- /dev/null
+++ b/.github/workflows/pr-size-labeler.yml
@@ -0,0 +1,43 @@
+name: "PR Size Labeler"
+
+# Use pull_request_target to get write permissions for PRs from forks.
+# This is safe because we only use the GitHub API to read file metadata -
+# we never checkout or execute code from the PR.
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          # Checkout the base branch (not the PR head) for security.
+          # We only need the action definition from .github/actions/pr-sizer/
+          ref: ${{ github.base_ref }}
+
+      - name: PR Size Labeler
+        uses: ./.github/actions/pr-sizer
+        with:
+          xs_label: "size/xs"
+          xs_max_size: "10"
+          s_label: "size/s"
+          s_max_size: "100"
+          m_label: "size/m"
+          m_max_size: "500"
+          l_label: "size/l"
+          l_max_size: "1000"
+          xl_label: "size/xl"
+          fail_if_xl: "false"
+          files_to_ignore: |
+            package-lock.json
+            yarn.lock
+            go.sum
+          ignore_line_deletions: "false"
+          ignore_file_deletions: "false"