diff --git a/.github/workflows/test-warehouse.yml b/.github/workflows/test-warehouse.yml
index b1358f57b..50e79a73a 100644
--- a/.github/workflows/test-warehouse.yml
+++ b/.github/workflows/test-warehouse.yml
@@ -75,9 +75,25 @@ env:
   ELMENTARY_INTERNAL_DBT_PKG_DIR: ${{ github.workspace }}/elementary/elementary/monitor/dbt_project
 
 jobs:
+  # PRs from forks require approval, specifically with the "pull_request_target" event as it contains repo secrets.
+  check-if-requires-approval:
+    runs-on: ubuntu-latest
+    outputs:
+      requires_approval: ${{ steps.set-output.outputs.requires_approval }}
+    steps:
+      - name: Set requires approval output
+        id: set-output
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
+            echo "requires_approval=true" >> $GITHUB_OUTPUT
+          else
+            echo "requires_approval=false" >> $GITHUB_OUTPUT
+          fi
+
   test:
     runs-on: ubuntu-latest
-    environment: elementary_test_env # This is a github environment (not to be confused with env vars)
+    needs: [check-if-requires-approval]
+    environment: ${{ (needs.check-if-requires-approval.outputs.requires_approval == 'true' && 'elementary_test_env') || '' }}
     defaults:
       run:
         working-directory: elementary