diff --git a/.github/workflows/pr-license-scan.yaml b/.github/workflows/pr-license-scan.yaml
index 1778a0e7..47e85363 100644
--- a/.github/workflows/pr-license-scan.yaml
+++ b/.github/workflows/pr-license-scan.yaml
@@ -1,19 +1,18 @@
 name: PR license scan
 
 on:
-  pull_request:
+  pull_request_target: # this is safe as these scans do not execute provided code
 
 jobs:
   fossa-scan:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: "Run FOSSA Analyze" 
-        uses: fossas/fossa-action@main
         with:
-          api-key: 1d5511d63d5a4ccda6d3cef2a7ef08c1 # push-only token, safe to expose
-      - name: "Run FOSSA Test"
-        uses: fossas/fossa-action@main
+          ref: ${{ github.head_ref }}
+      - name: "Install FOSSA" 
+        uses: replicatedhq/action-fossa/install@main
+      - name: "Run FOSSA Scan"
+        uses: replicatedhq/action-fossa/scan@main
         with:
-          api-key: 1d5511d63d5a4ccda6d3cef2a7ef08c1 # push-only token, safe to expose
-          run-tests: true
+          api-key: ${{ secrets.FOSSA_API_KEY }}