diff --git a/.github/workflows/build-push-artifacts.yaml b/.github/workflows/build-push-artifacts.yaml
index 69d7471..db83b33 100644
--- a/.github/workflows/build-push-artifacts.yaml
+++ b/.github/workflows/build-push-artifacts.yaml
@@ -10,6 +10,11 @@ on:
   # Also allow publication to be done via a workflow call
   # In this case, the chart version is returned as an output
   workflow_call:
+    inputs:
+      ref:
+        type: string
+        description: The ref to build.
+        required: true
     outputs:
       chart-version:
         description: The chart version that was published
@@ -26,12 +31,11 @@ jobs:
   build_push_images:
     name: Build and push images
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     steps:
       - name: Check out the repository
         uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref || github.ref }}
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
@@ -73,12 +77,11 @@ jobs:
     needs: [build_push_images]
     outputs:
       chart-version: ${{ steps.semver.outputs.version }}
-    permissions:
-      contents: write
     steps:
       - name: Check out the repository
         uses: actions/checkout@v3
         with:
+          ref: ${{ inputs.ref || github.ref }}
           # This is important for the semver action to work correctly
           # when determining the number of commits since the last tag
           fetch-depth: 0
diff --git a/.github/workflows/test-pr.yaml b/.github/workflows/test-pr.yaml
index 0cbbdcd..5f7cb18 100644
--- a/.github/workflows/test-pr.yaml
+++ b/.github/workflows/test-pr.yaml
@@ -1,7 +1,8 @@
 name: Test Azimuth deployment
 
 on:
-  pull_request:
+  # We use pull_request_target so that dependabot-created workflows can run
+  pull_request_target:
     types:
       - opened
       - synchronize
@@ -20,11 +21,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: PR must be from a branch in the stackhpc/azimuth-identity-operator repo
-        run: exit ${{ github.repository == 'stackhpc/azimuth-identity-operator' && '0' || '1' }}
+        run: exit ${{ github.event.pull_request.head.repo.full_name == 'stackhpc/azimuth-identity-operator' && '0' || '1' }}
 
   publish_artifacts:
     needs: [fail_on_remote]
     uses: ./.github/workflows/build-push-artifacts.yaml
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}
+    secrets: inherit
 
   run_azimuth_tests:
     needs: [publish_artifacts]