diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml
index 4609cc0..5a260a1 100644
--- a/.github/workflows/R-CMD-check.yaml
+++ b/.github/workflows/R-CMD-check.yaml
@@ -1,13 +1,38 @@
 # For help debugging build failures open an issue on the RStudio community with the 'github-actions' tag.
 # https://community.rstudio.com/new-topic?category=Package%20development&tags=github-actions
-on: [push, pull_request]
+
+# Details on pull_request_target and why it's insecure:
+# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+# Post describing a workaround, from which we take inspiration:
+# https://michaelheap.com/access-secrets-from-forks/
 
 name: R-CMD-check
 
+on:
+  push:
+    branches:
+      - master
+      - 'feature/**'
+      - 'bugfix/**'
+  pull_request_target:
+    types: [opened, synchronize]
+
 jobs:
+  pre-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Confirm crew102 triggered the build
+        run: |
+          if [ "${{ github.actor }}" == "crew102" ]; then
+            echo "Actor is crew102"
+          else
+            echo "Actor is ${{ github.actor }}, failing build."
+            exit 1
+          fi
+
   R-CMD-check:
+    needs: [pre-check]
     runs-on: ${{ matrix.config.os }}
-    timeout-minutes: 60
 
     name: ${{ matrix.config.os }} (${{ matrix.config.r }})
 
@@ -30,19 +55,17 @@ jobs:
       PATENTSVIEW_API_KEY: ${{ secrets.PATENTSVIEW_API_KEY }}
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          # Use the head SHA for pull requests
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
-      - uses: r-lib/actions/setup-r@v2
+      - uses: r-lib/actions/setup-r@v1
         with:
           r-version: ${{ matrix.config.r }}
 
-      - uses: r-lib/actions/setup-pandoc@v2
-
-      - name: Check Secrets Access
-        if: ${{ env.PATENTSVIEW_API_KEY == '' }}
-        run: |
-          echo "No access to secrets"
-          exit 1
+      - uses: r-lib/actions/setup-pandoc@v1
 
       - name: Query dependencies
         run: |
@@ -53,7 +76,7 @@ jobs:
 
       - name: Restore R package cache
         if: runner.os != 'Windows'
-        uses: actions/cache@v4
+        uses: actions/cache@v2
         with:
           path: ${{ env.R_LIBS_USER }}
           key: ${{ runner.os }}-${{ hashFiles('.github/R-version') }}-1-${{ hashFiles('.github/depends.Rds') }}
@@ -77,7 +100,6 @@ jobs:
       - name: Check
         env:
           _R_CHECK_CRAN_INCOMING_REMOTE_: false
-
         run: |
           options(crayon.enabled = TRUE)
           rcmdcheck::rcmdcheck(args = c("--no-manual", "--as-cran"), error_on = "warning", check_dir = "check")
@@ -86,7 +108,6 @@ jobs:
       - name: Run examples
         env:
           _R_CHECK_CRAN_INCOMING_REMOTE_: false
-
         run: |
           options(crayon.enabled = TRUE)
           remotes::install_cran("devtools")
@@ -98,4 +119,4 @@ jobs:
         uses: actions/upload-artifact@main
         with:
           name: ${{ runner.os }}-r${{ matrix.config.r }}-results
-          path: check
\ No newline at end of file
+          path: check