The workflows were set up to execute with a read/write `GITHUB_TOKEN` for `nx` when a PR was created/edited (no approval necessary).

See the security warnings on `pull_request_target`

https://docs.github.com/en/actions/reference/workflows-and-a...

https://securitylab.github.com/resources/github-actions-prev...