diff --git a/.github/workflows/test-comment.yml b/.github/workflows/test-comment.yml
new file mode 100644
index 000000000..2a763f685
--- /dev/null
+++ b/.github/workflows/test-comment.yml
@@ -0,0 +1,63 @@
+# This workflow runs after test.yml and comments the test coverage on the pull request.
+name: Comment test coverage on the pull request
+
+on:
+  workflow_run:
+    workflows: ["Tests"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@v3.1.0
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.find((artifact) => {
+                return artifact.name == "result"
+            })[0];
+            if (!matchArtifact) {
+                var core = require('@actions/core');
+                core.setFailed('Artifact "result" not found.');
+                return;
+            }
+            var download = await github.actions.downloadArtifact({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                artifact_id: matchArtifact.id,
+                archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/result.zip', Buffer.from(download.data));
+      - run: unzip result.zip -d result
+      - name: Read PR Number and Coverage
+        id: read_files
+        run: |
+          pr_number=$(cat result/pr_number.txt)
+          coverage=$(cat result/coverage.txt)
+          echo "PR_NUMBER=${pr_number}" >> $GITHUB_ENV
+          echo "COVERAGE=${coverage}" >> $GITHUB_ENV
+      - name: Find comment
+        id: find-comment
+        uses: peter-evans/find-comment@v2
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          comment-author: 'github-actions[bot]'
+      - name: Comment coverage on PR
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          body: |
+            Coverage as of ${{ github.sha }}: ${{ env.COVERAGE }}%
+          edit-mode: append
\ No newline at end of file
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9d669e41d..39b8cf775 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,7 +1,13 @@
+# This workflow runs on every push and pull request to the repository.
+# It then calculates the unit test coverage and checks if it's above a certain threshold.
+# this information is passed on to another workflow as artifacts for commenting on the PR.
+# This is because the `pull_request` event does not have the commenting permissions.
+# We could switch to `pull_request_target` which does have them, however, it
+# opens a security hole. See:
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
 name: Tests
 on:
-  # for write permission, use pull_request_target and not pull_request.
-  pull_request_target:
+  pull_request:
   push:
     branches:
       - develop
@@ -10,8 +16,9 @@ on:
       - release/**
 
 permissions:
+  # for uploading artifacts
   contents: write
-  pull-requests: write
+  pull-requests: read
 
 # Automatically cancel run if another commit to the same ref is detected.
 concurrency:
@@ -30,7 +37,6 @@ jobs:
       - uses: technote-space/get-diff-action@v6.1.2
         with:
           PATTERNS: |
-            **/**.sol
             **/**.go
             go.mod
             go.sum
@@ -47,19 +53,14 @@ jobs:
           # TODO: increase this threshold with time to 80
           threshold-total: 10
         if: env.GIT_DIFF
-      - name: Find comment
-        id: find-comment
-        uses: peter-evans/find-comment@v2
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: 'github-actions[bot]'
+      - name: Generate artifact for PR
+        run: |
+          mkdir -p ./result/
+          echo ${{ steps.output-coverage.outputs.total-coverage }} > ./result/coverage.txt
+          echo ${{ github.event.pull_request.number }} > ./result/pr_number.txt
         if: env.GIT_DIFF && github.event_name == 'pull_request'
-      - name: Comment coverage on PR
-        uses: peter-evans/create-or-update-comment@v3
+      - uses: actions/upload-artifact@v2
         with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          body: |
-            Coverage as of ${{ github.sha }}: ${{ steps.output-coverage.outputs.total-coverage }}%
-          edit-mode: append
+          name: result
+          path: result/
         if: env.GIT_DIFF && github.event_name == 'pull_request'