diff --git a/.github/workflows/plan-release.yml b/.github/workflows/plan-release.yml
index 9e44ee8d..7d70d71c 100644
--- a/.github/workflows/plan-release.yml
+++ b/.github/workflows/plan-release.yml
@@ -4,9 +4,10 @@ on:
     branches:
       - main
       - master
-  pull_request:
+  pull_request_target: # This workflow has permissions on the repo, do NOT run code from PRs in this workflow. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
     types:
       - labeled
+      - unlabeled
 
 concurrency:
   group: plan-release # only the latest one of these should ever be running
@@ -41,7 +42,7 @@ jobs:
       explanation: ${{ steps.explanation.outputs.text }}
     # only run on push event if plan wasn't updated (don't create a release plan when we're releasing)
     # only run on labeled event if the PR has already been merged
-    if: (github.event_name == 'push' && needs.check-plan.outputs.command != 'release') || (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
+    if: (github.event_name == 'push' && needs.check-plan.outputs.command != 'release') || (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true)
 
     steps:
       - uses: actions/checkout@v4
@@ -53,16 +54,13 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 18
-      
-      - run: npm ci
-      
+      - uses: pnpm/action-setup@v4
+      - run: pnpm install --frozen-lockfile
       - name: "Generate Explanation and Prep Changelogs"
         id: explanation
         run: |
           set +e
-          
-          npx release-plan prepare 2> >(tee -a release-plan-stderr.txt >&2)
-          
+          pnpm release-plan prepare 2> >(tee -a release-plan-stderr.txt >&2)
 
           if [ $? -ne 0 ]; then
             echo 'text<<EOF' >> $GITHUB_OUTPUT
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0b75c3c5..724fb1c2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -49,11 +49,10 @@ jobs:
           node-version: 18
           # This creates an .npmrc that reads the NODE_AUTH_TOKEN environment variable
           registry-url: 'https://registry.npmjs.org'
-      
-      - run: npm ci
+      - uses: pnpm/action-setup@v4
+      - run: pnpm install --frozen-lockfile
       - name: npm publish
-        run: npx release-plan publish
-      
+        run: pnpm release-plan publish
         env:
           GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/package.json b/package.json
index cd60e78f..6e055ed1 100644
--- a/package.json
+++ b/package.json
@@ -97,7 +97,6 @@
     "lint-to-the-future-eslint": "^0.4.0",
     "loader.js": "^4.7.0",
     "npm-run-all": "^4.1.5",
-    "pnpm": "^7.0.0",
     "prember": "^2.0.0",
     "prettier": "^2.5.1",
     "qunit": "^2.17.2",
@@ -108,12 +107,10 @@
     "stylelint-order": "^4.0.0",
     "webpack": "^5.52.1"
   },
+  "packageManager": "pnpm@9.5.0",
   "engines": {
     "node": "18.* || >= 20"
   },
-  "volta": {
-    "node": "18.18.2"
-  },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"
   },
@@ -125,6 +122,5 @@
   },
   "ember-addon": {
     "configPath": "tests/dummy/config"
-  },
-  "packageManager": "pnpm@9.5.0"
+  }
 }