diff --git a/.github/workflows/rogue.yml b/.github/workflows/rogue.yml
index a967443c..edd50d72 100644
--- a/.github/workflows/rogue.yml
+++ b/.github/workflows/rogue.yml
@@ -1,7 +1,7 @@
 name: Rogue
 
 on:
-  pull_request_target:
+  pull_request:
   push:
     branches:
       - main
@@ -11,17 +11,11 @@ jobs:
   rogue_sanity:
     runs-on: ubuntu-latest
     timeout-minutes: 15
-    environment: rogue-sanity-ci-secrets
+    # Only run for PRs from within the same repository, not from forks
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
-        with:
-          # 1. Checkout the actual PR commit, not just the base branch
-          ref: ${{ github.event.pull_request.head.sha }}
-          # 2. DO NOT expose the GITHUB_TOKEN write-permissions to the untrusted code
-          # This is essential to prevent untrusted code from exfiltrating secrets
-          # by manipulating the repository itself.
-          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v5