diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/fork-warn.yaml
similarity index 88%
rename from .github/workflows/pr-comment.yaml
rename to .github/workflows/fork-warn.yaml
index ca4b401..fc115bb 100644
--- a/.github/workflows/pr-comment.yaml
+++ b/.github/workflows/fork-warn.yaml
@@ -1,16 +1,17 @@
 name: Warn about PRs from forks via comment
 
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - main
     types:
       - opened
+      - reopened
 
 jobs:
   warn-forks:
     runs-on: ubuntu-latest
-    if: github.repository != 'the-turing-way/teams-as-code'
+    if: github.event.pull_request_target.head.repo.full_name != 'the-turing-way/teams-as-code'
     permissions:
       issues: write
       pull-requests: write
diff --git a/.github/workflows/plan-and-apply.yaml b/.github/workflows/plan-and-apply.yaml
index 64a1ec3..097de61 100644
--- a/.github/workflows/plan-and-apply.yaml
+++ b/.github/workflows/plan-and-apply.yaml
@@ -16,16 +16,19 @@ env:
 
 concurrency:
   # Only run one tf job at a time to avoid conflicts and state lock
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}
   cancel-in-progress: false
 
 jobs:
   plan-apply:
+    runs-on: ubuntu-latest
     # Provide GITHUB_TOKEN enough permissions to post a comment to a PR
     permissions:
       issues: write
       pull-requests: write
-    runs-on: ubuntu-latest
+    # Secrets for this workflow are in an environment with extra restrictions
+    environment: tf-env
+
     steps:
       - name: Checkout repo
         uses: actions/checkout@v6