diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index 2c1fed77b..f1a5527e2 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -1,6 +1,12 @@
 name: coverage
 
-on: [push]
+on:
+  # this allows for `contents: write` and `pull-requests: write` from forks
+  pull_request_target:
+
+# limit default permissions to just read-only checkouts
+permissions:
+  contents: read
 
 jobs:
   coverage:
@@ -15,7 +21,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ matrix.branch == 'main' && 'main' || '' }}
+          # for safety, `pull_request_target` changes the default checkout to be the target branch, so we have to request the merge (we're limited to `permissions: {contents: read}`, so this is ok)
+          ref: ${{ matrix.branch == 'main' && 'main' || (github.event.pull_request && format('refs/pull/{0}/merge', github.event.pull_request.number)) || '' }}
 
       - name: Bazel cache
         id: bazel-cache
@@ -48,6 +55,10 @@ jobs:
   comment:
     runs-on: ubuntu-latest
     needs: [coverage]
+    permissions:
+      # needed to add coverage comment to the pull request
+      pull-requests: write
+
     steps:
       - uses: actions/github-script@v6
         with:
@@ -55,10 +66,16 @@ jobs:
             const pr = ${{fromJson(needs.coverage.outputs.cov-pr).totals.percent_covered}};
             const main = ${{fromJson(needs.coverage.outputs.cov-main).totals.percent_covered}};
             const diff = pr - main;
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: `### Coverage report
-              **Main**: ${main.toFixed(2)}% | **PR**: ${pr.toFixed(2)}% | **Diff: ${diff.toFixed(2)} ${diff >= 0 ? '✅' : '⚠️'}**`
-            })
+            const report = `### Coverage report
+            **Main**: ${main.toFixed(2)}% | **PR**: ${pr.toFixed(2)}% | **Diff: ${diff.toFixed(2)} ${diff >= 0 ? '✅' : '⚠️'}**`;
+            await core.summary.addRaw(report).write()
+            try {
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: report
+              })
+            } catch (e) {
+              console.log("Could not post comment to pull request", e)
+            }