From 42dfa4498acc98f436ed88fe5f3c5ed2f35ac38d Mon Sep 17 00:00:00 2001
From: hiromieguchi802-lab
 <270042125+hiromieguchi802-lab@users.noreply.github.com>
Date: Tue, 24 Mar 2026 13:39:13 +0800
Subject: [PATCH 1/2] docs: clarify fork token permissions for pull_request

---
 .../actions/reference/workflows-and-actions/workflow-syntax.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/actions/reference/workflows-and-actions/workflow-syntax.md b/content/actions/reference/workflows-and-actions/workflow-syntax.md
index 2cc3121c74ae..3f35c3194893 100644
--- a/content/actions/reference/workflows-and-actions/workflow-syntax.md
+++ b/content/actions/reference/workflows-and-actions/workflow-syntax.md
@@ -279,7 +279,7 @@ The value of this parameter is a string specifying the data type of the input. T
 
 ## How permissions are calculated for a workflow job
 
-The permissions for the `GITHUB_TOKEN` are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request from a forked repository, and the **Send write tokens to workflows from pull requests** setting is not selected, the permissions are adjusted to change any write permissions to read only.
+The permissions for the `GITHUB_TOKEN` are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by the `pull_request` event from a forked repository, and the **Send write tokens to workflows from pull requests** setting is not selected, the permissions are adjusted to change any write permissions to read only.
 
 ### Setting the `GITHUB_TOKEN` permissions for all jobs in a workflow
 

From 1222ac3b502b9b718d67987733f28b7c9cda4f47 Mon Sep 17 00:00:00 2001
From: hiromieguchi802-lab
 <270042125+hiromieguchi802-lab@users.noreply.github.com>
Date: Tue, 24 Mar 2026 13:42:23 +0800
Subject: [PATCH 2/2] docs: refine forked pull request token wording

---
 .../actions/reference/workflows-and-actions/workflow-syntax.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/actions/reference/workflows-and-actions/workflow-syntax.md b/content/actions/reference/workflows-and-actions/workflow-syntax.md
index 3f35c3194893..f98cc52d0076 100644
--- a/content/actions/reference/workflows-and-actions/workflow-syntax.md
+++ b/content/actions/reference/workflows-and-actions/workflow-syntax.md
@@ -279,7 +279,7 @@ The value of this parameter is a string specifying the data type of the input. T
 
 ## How permissions are calculated for a workflow job
 
-The permissions for the `GITHUB_TOKEN` are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by the `pull_request` event from a forked repository, and the **Send write tokens to workflows from pull requests** setting is not selected, the permissions are adjusted to change any write permissions to read only.
+The permissions for the `GITHUB_TOKEN` are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request event other than `pull_request_target` from a forked repository, and the **Send write tokens to workflows from pull requests** setting is not selected, the permissions are adjusted to change any write permissions to read only.
 
 ### Setting the `GITHUB_TOKEN` permissions for all jobs in a workflow