diff --git a/.github/workflows/ensure-capi-images.yaml b/.github/workflows/ensure-capi-images.yaml
index a238089..2974342 100644
--- a/.github/workflows/ensure-capi-images.yaml
+++ b/.github/workflows/ensure-capi-images.yaml
@@ -1,6 +1,11 @@
 name: Ensure CAPI images
 on:
   workflow_call:
+    inputs:
+      ref-under-test:
+        type: string
+        description: The Git ref under test.
+        required: true
     outputs:
       kube-1-26-image:
         value: ${{ jobs.produce_outputs.outputs.kube-1-26-image }}
@@ -23,6 +28,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref-under-test }}
 
       - name: Fetch image details
         id: images
@@ -50,6 +57,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref-under-test }}
         if: ${{ !matrix.skip }}
 
       - name: Write cloud credential
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index ef3cb96..6ddfa27 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,6 +1,11 @@
 name: Helm Lint
 on:
   workflow_call:
+    inputs:
+      ref-under-test:
+        type: string
+        description: The Git ref under test.
+        required: true
 
 jobs:
   lint:
@@ -9,6 +14,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
+          ref: ${{ inputs.ref-under-test }}
           fetch-depth: 0
 
       - name: Set up Helm
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 714cf4b..0133b2f 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -11,11 +11,15 @@ concurrency:
 jobs:
   lint:
     uses: ./.github/workflows/lint.yaml
+    with:
+      ref-under-test: ${{ github.sha }}
 
   ensure_capi_images:
     needs: [lint]
     uses: ./.github/workflows/ensure-capi-images.yaml
     secrets: inherit
+    with:
+      ref-under-test: ${{ github.sha }}
 
   test:
     needs: [ensure_capi_images]
@@ -24,5 +28,7 @@ jobs:
     with:
       # Pass the images as JSON
       images: ${{ toJSON(needs.ensure_capi_images.outputs) }}
+      # We want to test the current sha
+      ref-under-test: ${{ github.sha }}
       # Only run the sanity check on main
       tests-full: false
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index a2328d9..d303540 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -1,6 +1,6 @@
 name: test pr
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - synchronize
@@ -14,16 +14,31 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  # Run the lint on every PR, even from external repos
-  lint:
-    uses: ./.github/workflows/lint.yaml
+  # Reusable workflows cannot be used with environments
+  # https://docs.github.com/en/actions/using-workflows/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow
+  # So we must use a different mechanism for approvals
+  wait_for_approval:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Wait for approval
+        uses: stackhpc/github-actions/workflow-approve@master
+        with:
+          approvers: mkjpryor
+          # Explicit approval is only required for PRs from external forks
+          approval-required: ${{ github.event.pull_request.head.repo.full_name != 'stackhpc/capi-helm-charts' && 'yes' || 'no' }}
+
+  lint:
+    needs: [wait_for_approval]
+    uses: ./.github/workflows/lint.yaml
+    with:
+      ref-under-test: ${{ github.event.pull_request.head.sha }}
 
-  # Only run tests on the main repo
   ensure_capi_images:
     needs: [lint]
     uses: ./.github/workflows/ensure-capi-images.yaml
     secrets: inherit
-    if: github.repository == 'stackhpc/capi-helm-charts'
+    with:
+      ref-under-test: ${{ github.event.pull_request.head.sha }}
 
   test:
     needs: [ensure_capi_images]
@@ -32,7 +47,8 @@ jobs:
     with:
       # Pass the images as JSON
       images: ${{ toJSON(needs.ensure_capi_images.outputs) }}
+      # We want to test the code in the PR
+      ref-under-test: ${{ github.event.pull_request.head.sha }}
       # If the PR is in draft, just run a sanity check
       # If the PR is in review, run the full test suite
       tests-full: ${{ !github.event.pull_request.draft }}
-    if: github.repository == 'stackhpc/capi-helm-charts'
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index ef10abf..7f23635 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -5,6 +5,9 @@ on:
       images:
         type: string
         description: JSON-encoded dictionary of images and versions
+      ref-under-test:
+        type: string
+        description: The Git ref under test.
         required: true
       tests-full:
         type: boolean
@@ -22,6 +25,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref-under-test }}
 
       - name: Create kind cluster
         uses: helm/kind-action@v1.8.0
@@ -92,6 +97,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref-under-test }}
 
       - name: Create kind cluster
         uses: helm/kind-action@v1.8.0
@@ -170,6 +177,7 @@ jobs:
       - name: Checkout current
         uses: actions/checkout@v3
         with:
+          ref: ${{ inputs.ref-under-test }}
           path: current
 
       - name: Get latest tag