diff --git a/.github/workflows/build-ci-image.yml b/.github/workflows/build-ci-image.yml
index dd90db43e4..eff14dc0b4 100644
--- a/.github/workflows/build-ci-image.yml
+++ b/.github/workflows/build-ci-image.yml
@@ -6,18 +6,18 @@ on:
       - main
       - v2
     paths:
-      - 'gen.Dockerfile'
-      - '.github/workflows/build-ci-image.yml'
-  pull_request:
+      - "gen.Dockerfile"
+      - ".github/workflows/build-ci-image.yml"
+  pull_request_target:
     paths:
-      - 'gen.Dockerfile'
-      - '.github/workflows/build-ci-image.yml'
+      - "gen.Dockerfile"
+      - ".github/workflows/build-ci-image.yml"
   workflow_dispatch:
     inputs:
       force_rebuild:
-        description: 'Force rebuild of the image'
+        description: "Force rebuild of the image"
         required: false
-        default: 'false'
+        default: "false"
 
 env:
   REGISTRY: ghcr.io
@@ -37,6 +37,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -68,7 +70,7 @@ jobs:
       - name: Set image tag output
         id: set-tag
         run: |
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
+          if [ "${{ github.event_name }}" == "pull_request_target" ] || [ "${{ github.event_name }}" == "pull_request" ]; then
             echo "tag=pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
           elif [ "${{ github.ref }}" == "refs/heads/v2" ]; then
             echo "tag=v2" >> $GITHUB_OUTPUT
@@ -104,7 +106,7 @@ jobs:
         run: echo "Image built with digest ${{ steps.meta.outputs.digest }}"
 
       - name: Comment on PR with image tag
-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
         uses: actions/github-script@v7
         with:
           script: |
diff --git a/.github/workflows/check-generate.yml b/.github/workflows/check-generate.yml
index af78f2297a..5d7cabf162 100644
--- a/.github/workflows/check-generate.yml
+++ b/.github/workflows/check-generate.yml
@@ -1,7 +1,7 @@
 name: Check Generated Files
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened]
 
 jobs:
@@ -11,11 +11,14 @@ jobs:
       contents: read
       actions: read
       packages: read
+      issues: read
     outputs:
       image: ${{ steps.docker-image.outputs.image }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Determine Docker image
         id: docker-image
@@ -48,14 +51,20 @@ jobs:
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 workflow_id: 'build-ci-image.yml',
-                event: 'pull_request',
+                event: 'pull_request_target',
                 per_page: 10
               });
 
-              // Find the run for this PR
-              const prRun = runs.workflow_runs.find(run =>
-                run.head_sha === context.payload.pull_request.head.sha
-              );
+              // For pull_request_target from forks, run.pull_requests is always empty (GitHub API limitation).
+              // Fall back to matching by head_sha for fork PRs.
+              const prNumber = context.issue.number;
+              const prHeadSha = context.payload.pull_request.head.sha;
+              const prRun = runs.workflow_runs.find(run => {
+                if (Array.isArray(run.pull_requests) && run.pull_requests.length > 0) {
+                  return run.pull_requests.some(pr => pr.number === prNumber);
+                }
+                return run.head_sha === prHeadSha;
+              });
 
               if (prRun) {
                 console.log(`Found workflow run: ${prRun.html_url}`);
@@ -95,6 +104,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Cache cargo artifacts
         uses: actions/cache@v4
@@ -139,6 +150,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Run go mod tidy and check
         run: |
@@ -158,6 +171,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Run mockery and check
         run: |
diff --git a/gen.Dockerfile b/gen.Dockerfile
index 7f8f674fa0..8bfa1e3198 100644
--- a/gen.Dockerfile
+++ b/gen.Dockerfile
@@ -40,7 +40,7 @@ FROM alpine:latest AS buf-downloader
 ARG TARGETARCH
 ARG BUF_VERSION
 RUN apk add --no-cache curl tar
-RUN BUFARCH=$(case ${TARGETARCH} in amd64) echo "x86_64" ;; arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
+RUN if [ "${TARGETARCH}" = "arm64" ]; then BUFARCH="aarch64"; else BUFARCH="x86_64"; fi && \
     curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-${BUFARCH}.tar.gz" | \
     tar -xzC /tmp