diff --git a/.github/workflows/recipe-security-scanner.yml b/.github/workflows/recipe-security-scanner.yml
index 88084eb3fb80..4e8d0b327e53 100644
--- a/.github/workflows/recipe-security-scanner.yml
+++ b/.github/workflows/recipe-security-scanner.yml
@@ -1,7 +1,7 @@
 name: Recipe Security Scan
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened]
     paths:
       - 'documentation/src/pages/recipes/data/recipes/**'
@@ -13,6 +13,7 @@ concurrency:
 permissions:
   contents: read
   pull-requests: write
+  issues: write
   statuses: write
 
 jobs:
@@ -140,6 +141,12 @@ jobs:
           # Set permissions for Docker container (scanner user is UID 1000)
           sudo chmod -R 777 "$OUT" || true
           
+          # Verify secrets are available (without logging details)
+          if [ -z "$OPENAI_API_KEY" ] || [ -z "$TRAINING_DATA_LOW" ] || [ -z "$TRAINING_DATA_MEDIUM" ] || [ -z "$TRAINING_DATA_EXTREME" ]; then
+            echo "❌ One or more required secrets are missing or inaccessible"
+            exit 1
+          fi
+          
           # Initialize overall scan results
           echo '{"scanned_recipes": [], "overall_status": "UNKNOWN", "failed_scans": 0}' > "$OUT/pr_scan_summary.json"
           
diff --git a/.github/workflows/validate-recipe-pr.yml b/.github/workflows/validate-recipe-pr.yml
index da39ddd015c9..af78512feb6c 100644
--- a/.github/workflows/validate-recipe-pr.yml
+++ b/.github/workflows/validate-recipe-pr.yml
@@ -1,7 +1,7 @@
 name: Validate Recipe PR
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened]
     paths:
       - 'documentation/src/pages/recipes/data/recipes/**'
@@ -9,6 +9,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  issues: write
 
 jobs:
   validate-recipe:
@@ -158,7 +159,7 @@ jobs:
                 
                 # Check if this is a new file or an update to existing file
                 # Get list of changed files in this PR compared to base branch
-                CHANGED_FILES=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD | grep "^$RECIPE_FILE$" || true)
+                CHANGED_FILES=$(git diff --name-only --diff-filter=AM origin/${{ github.event.pull_request.base.ref }}...HEAD | grep "^$RECIPE_FILE$" || true)
                 EXISTING_FILES=$(find documentation/src/pages/recipes/data/recipes/ -name "$FILENAME.yaml" -o -name "$FILENAME.yml" | grep -v "^$RECIPE_FILE$" || true)
                 
                 if [ -n "$EXISTING_FILES" ] && [ -z "$CHANGED_FILES" ]; then