diff --git a/.github/workflows/harness.yml b/.github/workflows/harness.yml
index 3d3bd9e3..6b2321a5 100644
--- a/.github/workflows/harness.yml
+++ b/.github/workflows/harness.yml
@@ -11,6 +11,11 @@ on:
   # the PR. This allows writing to the docker caches, etc. from PRs ; but mind
   # that if you attempt modification in a PR, of course.
 
+# don't use the default fetch source, as with 'pull_request_target' that will
+# test the target branch only!
+env:
+  GIT_FETCH_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
 
@@ -26,9 +31,10 @@ jobs:
       - name: Checkout
         # This is *only* needed to extract the git version...
         # Approaches like proudust/gh-describe@v1 don't work
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Need full commit history for 'git describe'
+          ref: ${{ env.GIT_FETCH_REF }}
       - name: Get git-describe version
         id: describe
         run: echo "version=$(git describe --tags)" >> "$GITHUB_OUTPUT"
@@ -46,6 +52,10 @@ jobs:
       - name: Make build context image
         uses: docker/build-push-action@v5
         with:
+          # The default context would fetch the default source (ie master on
+          # 'pull_request_target' to master >:( ) ; we have already have fetched
+          # anyway so use the current dir
+          context: .
           target: dev-build-context
           # Caching using GH cache doesn't work, use registry caching directly
           # instead
@@ -58,6 +68,7 @@ jobs:
         id: image
         uses: docker/build-push-action@v5
         with:
+          context: .
           push: true
           tags: ghcr.io/catalalang/catala:${{ steps.describe.outputs.version }}
           build-args: "CATALA_VERSION=${{ steps.describe.outputs.version }}"
@@ -145,9 +156,10 @@ jobs:
     if: ${{ github.event_name != 'pull_request_target' }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Need full commit history for 'git describe'
+          ref: ${{ env.GIT_FETCH_REF }}
       - name: Get git-describe version
         id: describe
         run: echo "version=$(git describe --tags)" >> "$GITHUB_OUTPUT"