diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 2557445c3..dcd1b3737 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -1,9 +1,9 @@
 name: Déploiement
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
   push:
-    branches: [master]
+    branches: [master, demo, next]
 
   # We display the release notes in the "news" section of mon-entreprise.urssaf.fr so
   # we want to re-deploy the site when a new release is published or edited on
@@ -142,26 +142,7 @@ jobs:
       matrix:
         site: ['', 'en']
     steps:
-      # https://michaelheap.com/access-secrets-from-forks/
-      - name: Get User Permission
-        id: checkAccess
-        uses: actions-cool/check-user-permission@v2
-        with:
-          require: write
-          username: ${{ github.triggering_actor }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Check User Permission
-        if: steps.checkAccess.outputs.require-result == 'false'
-        run: |
-          echo "${{ github.triggering_actor }} does not have permissions on this repo."
-          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
-          echo "Job originally triggered by ${{ github.actor }}"
-          exit 1
-      - name: Checkout code
-        uses: actions/checkout@v3
-        with:
-          ref: ${{  github.event.pull_request.head.sha }} # This is dangerous without the first access check
+      - uses: actions/checkout@v3
       - uses: actions/download-artifact@v3
         with:
           name: static-site