diff --git a/README.md b/README.md
index 6cb71e7..e88b4cd 100644
--- a/README.md
+++ b/README.md
@@ -179,6 +179,8 @@ jobs:
 
 > **Note**
 > You must use the `cache` or `restore` action in your workflow before you need to use the files that might be restored from the cache. If the provided `key` matches an existing cache, a new cache is not created and if the provided `key` doesn't match an existing cache, a new cache is automatically created provided the job completes successfully.
+>
+> **`pull_request_target` exception:** When `actions/cache` is used in a `pull_request_target` workflow, the automatic post-step save is **skipped**. This is a security measure to prevent untrusted pull request code from poisoning caches accessible to privileged workflows. If really you need to save a cache in a trusted `pull_request_target` context (e.g., after validating the PR source), use [`actions/cache/save`](./save/README.md) explicitly with an appropriate `if` condition.
 
 ## Caching Strategies
 
diff --git a/action.yml b/action.yml
index 2606455..5d2923a 100644
--- a/action.yml
+++ b/action.yml
@@ -41,7 +41,7 @@ runs:
   using: 'node24'
   main: 'dist/restore/index.js'
   post: 'dist/save/index.js'
-  post-if: "success()"
+  post-if: "success() && github.event_name != 'pull_request_target'"
 branding:
   icon: 'archive'
   color: 'gray-dark'