diff --git a/.github/workflows/lat-check.yaml b/.github/workflows/lat-check.yaml
index a9a7de7..263744d 100644
--- a/.github/workflows/lat-check.yaml
+++ b/.github/workflows/lat-check.yaml
@@ -1,6 +1,15 @@
 name: lat check
-on: [push, pull_request]
+on:
+  push:
+  pull_request_target:
+    # `lat check` is a pure static analyzer: tree-sitter parsing of source
+    # files, regex scanning for `@lat:` comments, and markdown parsing. It
+    # never installs dependencies, requires/imports from the checkout, or
+    # loads config from the working tree.
+    types: [opened, synchronize, reopened]
 
+# Read-only token. With `pull_request_target` + PR-head checkout, this is
+# the primary blast-radius limiter if the invariant above is ever broken.
 permissions:
   contents: read
 
@@ -8,5 +17,13 @@ jobs:
   lat-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: lars20070/lat-check-action@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          # `pull_request_target` checks out the base by default.
+          # Pin to the PR head SHA so we actually check the PR's changes.
+          # `push` has no PR payload, so fall through to `github.sha`,
+          # i.e. the pushed commit.
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          # Don't write the GITHUB_TOKEN into .git/config
+          persist-credentials: false
+      - uses: lars20070/lat-check-action@94f09a73ede7899a2bb3acbda2d3ea1455bbddf9
diff --git a/website/.DS_Store b/website/.DS_Store
deleted file mode 100644
index 1e81424..0000000
Binary files a/website/.DS_Store and /dev/null differ