diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index aac2a4f..2971f78 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -4,7 +4,6 @@ on:
   push:
     branches: [main]
   pull_request:
-    branches: [main]
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
@@ -23,6 +22,10 @@ jobs:
 
   e2e:
     runs-on: ubuntu-latest
+    # Don't run e2es on PRs from forks as it requires access to secrets
+    # when using `pull_request`.
+    # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+    if: ${{ github.event.pull_request.head.repo.full_name == 'bazel-contrib/publish-to-bcr' }}
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4