diff --git a/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp b/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp
index b210616d82f..4833b50d8e2 100644
--- a/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp
@@ -46,12 +46,13 @@
 
 		<p>
 
-			The following examples use two triggers to handle potentially untrusted
-			pull request in a secure manner:
+			The following example uses two workflows  to handle potentially untrusted
+			pull request in a secure manner. The receive_pr.yml is triggered first:
 
 		</p>
 
 		<sample src="examples/receive_pr.yml" />
+		<p>The comment_pr.yml is triggered after receive_pr.yml completes:</p>
 		<sample src="examples/comment_pr.yml" />
 
 	</example>
diff --git a/javascript/ql/src/experimental/Security/CWE-094/examples/comment_pr.yml b/javascript/ql/src/experimental/Security/CWE-094/examples/comment_pr.yml
index 6b4ec61ddea..e496b1449a0 100644
--- a/javascript/ql/src/experimental/Security/CWE-094/examples/comment_pr.yml
+++ b/javascript/ql/src/experimental/Security/CWE-094/examples/comment_pr.yml
@@ -1,4 +1,3 @@
-# comment_pr.yml
 name: Comment on the pull request
 
 # read-write repo token
diff --git a/javascript/ql/src/experimental/Security/CWE-094/examples/receive_pr.yml b/javascript/ql/src/experimental/Security/CWE-094/examples/receive_pr.yml
index c0e46bdd431..7104bce8bf3 100644
--- a/javascript/ql/src/experimental/Security/CWE-094/examples/receive_pr.yml
+++ b/javascript/ql/src/experimental/Security/CWE-094/examples/receive_pr.yml
@@ -1,4 +1,3 @@
-# receive_pr.yml
 name: Receive PR
 
 # read-only repo token