diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
index 501d3f12..1b577cec 100644
--- a/.github/workflows/integration_tests.yml
+++ b/.github/workflows/integration_tests.yml
@@ -6,21 +6,55 @@ on:
     branches:
       - main
     paths-ignore:
-      - "**/*.md"
-      - "**/*.jpg"
-      - "**/README.txt"
-      - "**/LICENSE.txt"
-      - "docs/**"
-      - "ISSUE_TEMPLATE/**"
-      - "**/remove-old-artifacts.yml"
+      - '**/*.md'
+      - '**/*.jpg'
+      - '**/README.txt'
+      - '**/LICENSE.txt'
+      - 'docs/**'
+      - 'ISSUE_TEMPLATE/**'
+      - '**/remove-old-artifacts.yml'
+  pull_request_target:
+    branches:
+      - main
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.jpg'
+      - '**/README.txt'
+      - '**/LICENSE.txt'
+      - 'docs/**'
+      - 'ISSUE_TEMPLATE/**'
+      - '**/remove-old-artifacts.yml's
 
 permissions:
   id-token: write   # This is required for requesting the JWT
   contents: read    # This is required for actions/checkout
 
 jobs:
+  approve:
+    # Auto-approve for non-fork scenarios
+    if: >
+      github.event_name == 'push' ||
+      github.event_name == 'workflow_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Approved — not a fork PR"
+  approve-fork:
+    # Require manual approval for fork PRs
+    if: >
+      github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    environment: integration-tests
+    steps:
+      - run: echo "Fork PR approved by maintainer"
   run-integration-tests:
     name: Run Integration Tests
+    needs: [ approve, approve-fork ]
+    if: |
+      always() &&
+      (needs.approve.result == 'success' || needs.approve-fork.result == 'success') &&
+      !(needs.approve.result == 'failure' || needs.approve-fork.result == 'failure')
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -29,8 +63,10 @@ jobs:
         dbEngine: ["aurora-mysql", "aurora-postgres", "multi-az-mysql", "multi-az-postgres" ]
 
     steps:
-      - name: Clone repository
+      - name: 'Clone repository'
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - name: "Set up JDK 8"
         uses: actions/setup-java@v3
         with: