diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index dcd1b3737..2557445c3 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -1,9 +1,9 @@
 name: Déploiement
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize]
   push:
-    branches: [master, demo, next]
+    branches: [master]
 
   # We display the release notes in the "news" section of mon-entreprise.urssaf.fr so
   # we want to re-deploy the site when a new release is published or edited on
@@ -142,7 +142,26 @@ jobs:
       matrix:
         site: ['', 'en']
     steps:
-      - uses: actions/checkout@v3
+      # https://michaelheap.com/access-secrets-from-forks/
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{  github.event.pull_request.head.sha }} # This is dangerous without the first access check
       - uses: actions/download-artifact@v3
         with:
           name: static-site