diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index b10a5e89a16..3c874d118c9 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,65 +1,64 @@
-# name: Lint
-# 
-# on:
-#   pull_request_target:
-#   workflow_dispatch:
-#   merge_group:
-# 
-# jobs:
-#   lint:
-#     runs-on: ubuntu-latest
-#     permissions:
-#       contents: read
-#     steps:
-#       - uses: actions/checkout@v6.0.2
-#         with:
-#           ref: ${{ github.event.pull_request.head.sha || github.ref }}
-#           repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
-# 
-#       - name: Setup Ruby
-#         uses: ruby/setup-ruby@v1.306.0
-#         with:
-#           bundler-cache: false
-# 
-#       - name: Install dependencies
-#         run: bundle install
-# 
-#       - name: Run RuboCop
-#         run: |
-#           bundle exec rubocop
-# 
-#   autocorrect:
-#     if: github.event.pull_request.head.repo.full_name == github.repository
-#     runs-on: ubuntu-latest
-#     permissions:
-#       contents: write
-#     steps:
-#       - uses: actions/checkout@v6.0.2
-#         with:
-#           ref: ${{ github.event.pull_request.head.ref || github.ref }}
-# 
-#       - name: Setup Ruby
-#         uses: ruby/setup-ruby@v1.306.0
-#         with:
-#           bundler-cache: true
-# 
-#       - name: Run RuboCop with auto-correct
-#         run: |
-#           bundle exec rubocop -A
-# 
-#       - name: Check for changes
-#         run: |
-#           git config --global user.name "github-actions[bot]"
-#           git config --global user.email "github-actions[bot]@users.noreply.github.com"
-#           if git status --porcelain | grep .; then
-#             echo "changes=true" >> $GITHUB_ENV
-#           else
-#             echo "changes=false" >> $GITHUB_ENV
-#           fi
-# 
-#       - name: Commit and push changes
-#         if: env.changes == 'true'
-#         run: |
-#           git add .
-#           git commit -m "chore: auto-corrected with RuboCop"
-#           git push
+name: Lint
+
+on:
+  # Use `pull_request` (not `pull_request_target`): this workflow checks out and
+  # runs untrusted PR code, so it must not run with access to repository secrets.
+  pull_request:
+  workflow_dispatch:
+  merge_group:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6.0.2
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
+        with:
+          bundler-cache: false
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Run RuboCop
+        run: |
+          bundle exec rubocop
+
+  autocorrect:
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.ref || github.ref }}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
+        with:
+          bundler-cache: true
+
+      - name: Run RuboCop with auto-correct
+        run: |
+          bundle exec rubocop -A
+
+      - name: Check for changes
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          if git status --porcelain | grep .; then
+            echo "changes=true" >> $GITHUB_ENV
+          else
+            echo "changes=false" >> $GITHUB_ENV
+          fi
+
+      - name: Commit and push changes
+        if: env.changes == 'true'
+        run: |
+          git add .
+          git commit -m "chore: auto-corrected with RuboCop"
+          git push