diff --git a/.github/workflows/test-harness.yml b/.github/workflows/test-harness.yml
index cbcbb195..fa9fc2f7 100644
--- a/.github/workflows/test-harness.yml
+++ b/.github/workflows/test-harness.yml
@@ -1,6 +1,6 @@
 name: Liquibase Test Harness for BigQuery
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - '*'
   push:
@@ -14,8 +14,20 @@ on:
 env:
   tf_version: 'latest'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
+
+  authorize:
+    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
   setup:
+    needs: authorize
     runs-on: ubuntu-latest
     permissions:
       contents: 'read'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 28decf16..0ca4cdc2 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,14 +2,26 @@ name: Build and Test
 
 on:
   workflow_dispatch:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - reopened
       - synchronize
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
+
+  authorize:
+    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
   build-test:
+    needs: authorize
     uses: liquibase/build-logic/.github/workflows/os-extension-test.yml@v0.7.8
     secrets: inherit
     with: