diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 61d4c46aa3a8a027061058ea2503fe79458cde33..3acb452463b0e7425c66eb7e64c0030433d4d48b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -64,58 +64,3 @@ jobs:
         with:
           name: build-stats
           path: packages/desktop-client/build-stats
-
-  size-compare:
-    runs-on: ubuntu-latest
-    needs: [web]
-    if: github.event_name == 'pull_request'
-    permissions:
-      pull-requests: write
-    steps:
-      - name: Wait for ${{github.base_ref}} build to succeed
-        uses: fountainhead/action-wait-for-check@v1.1.0
-        id: master-build
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          checkName: web
-          ref: ${{github.base_ref}}
-
-      - name: Report build failure
-        if: steps.master-build.outputs.conclusion == 'failure'
-        run: |
-          echo "Build failed on ${{github.base_ref}}"
-          exit 1
-
-      - name: Download build artifact from ${{github.base_ref}}
-        uses: dawidd6/action-download-artifact@v2
-        id: pr-build
-        with:
-          branch: ${{github.base_ref}}
-          workflow: build.yml
-          name: build-stats
-          path: base
-
-      - name: Download build artifact from PR
-        uses: actions/download-artifact@v2
-        with:
-          name: build-stats
-          path: head
-
-      - name: Strip content hashes from stats files
-        run: |
-          sed -i -E 's/\.[0-9a-f]{8,}\././g' ./head/*.json
-          sed -i -E 's/\.[0-9a-f]{8,}\././g' ./base/*.json
-
-      - uses: github/webpack-bundlesize-compare-action@v1.8.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          current-stats-json-path: ./head/desktop-client-stats.json
-          base-stats-json-path: ./base/desktop-client-stats.json
-          title: desktop-client
-
-      - uses: github/webpack-bundlesize-compare-action@v1.8.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          current-stats-json-path: ./head/loot-core-stats.json
-          base-stats-json-path: ./base/loot-core-stats.json
-          title: loot-core
diff --git a/.github/workflows/size-compare.yml b/.github/workflows/size-compare.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a21c7ba007bc924b6dd434a88b148aa5eca57214
--- /dev/null
+++ b/.github/workflows/size-compare.yml
@@ -0,0 +1,77 @@
+name: Compare Sizes
+
+##########################################################################################
+# WARNING! This workflow uses the 'pull_request_target' event. That mans that it will    #
+# always run in the context of the main actualbudget/actual repo, even if the PR is from #
+# a fork. This is necessary to get access to a GitHub token that can post a comment on   #
+# the PR. Be VERY CAREFUL about adding things to this workflow, since forks can inject   #
+# arbitrary code into their branch, and can pollute the artifacts we download. Arbitrary #
+# code execution in this workflow could lead to a compromise of the main repo.           #
+##########################################################################################
+# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests    #
+##########################################################################################
+
+on:
+  pull_request_target:
+
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Wait for ${{github.base_ref}} build to succeed
+        uses: fountainhead/action-wait-for-check@v1.1.0
+        id: master-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: web
+          ref: ${{github.base_ref}}
+
+      - name: Wait for PR build to succeed
+        uses: fountainhead/action-wait-for-check@v1.1.0
+        id: wait-for-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: web
+          ref: ${{github.event.pull_request.head.sha}}
+
+      - name: Report build failure
+        if: steps.wait-for-build.outputs.conclusion == 'failure'
+        run: |
+          echo "Build failed on PR branch or ${{github.base_ref}}"
+          exit 1
+      - name: Download build artifact from ${{github.base_ref}}
+        uses: dawidd6/action-download-artifact@v2
+        id: pr-build
+        with:
+          branch: ${{github.base_ref}}
+          workflow: build.yml
+          name: build-stats
+          path: base
+
+      - name: Download build artifact from PR
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          pr: ${{github.event.pull_request.number}}
+          workflow: build.yml
+          name: build-stats
+          path: head
+
+      - name: Strip content hashes from stats files
+        run: |
+          sed -i -E 's/\.[0-9a-f]{8,}\././g' ./head/*.json
+          sed -i -E 's/\.[0-9a-f]{8,}\././g' ./base/*.json
+      - uses: github/webpack-bundlesize-compare-action@v1.8.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          current-stats-json-path: ./head/desktop-client-stats.json
+          base-stats-json-path: ./base/desktop-client-stats.json
+          title: desktop-client
+
+      - uses: github/webpack-bundlesize-compare-action@v1.8.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          current-stats-json-path: ./head/loot-core-stats.json
+          base-stats-json-path: ./base/loot-core-stats.json
+          title: loot-core
diff --git a/upcoming-release-notes/1214.md b/upcoming-release-notes/1214.md
new file mode 100644
index 0000000000000000000000000000000000000000..9955584ac48c1644ae90f3c04d23fd572dfe5bb9
--- /dev/null
+++ b/upcoming-release-notes/1214.md
@@ -0,0 +1,6 @@
+---
+category: Maintenance
+authors: [j-f1]
+---
+
+Fix the bundle size comparison workflow on fork PRs