diff --git a/.github/workflows/qcom-container-build-and-upload.yml b/.github/workflows/qcom-container-build-and-upload.yml
index 9f0f9d6..e5a0b8c 100644
--- a/.github/workflows/qcom-container-build-and-upload.yml
+++ b/.github/workflows/qcom-container-build-and-upload.yml
@@ -45,10 +45,19 @@ jobs:
     runs-on: ubuntu-24.04-arm
     steps:
       
-      - name: Checkout Repository
+      # PRs from forks (pull_request_target): check out the PR's fork + exact commit
+      - name: Checkout PR head (fork-safe)
+        if: ${{ github.event_name == 'pull_request_target' }}
         uses: actions/checkout@v4
         with:
-          ref: ${{github.head_ref}}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+
+      # Push / schedule / manual: normal checkout
+      - name: Checkout repository
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: actions/checkout@v4
 
       - name: Build Images
         uses: ./.github/actions/build_container
@@ -56,4 +65,4 @@ jobs:
           arch: arm64
           push-to-ghcr: ${{ github.event_name != 'pull_request_target' }}
           token: ${{ secrets.DEB_PKG_BOT_CI_TOKEN }}
-          username: ${{ vars.DEB_PKG_BOT_CI_USERNAME }}
\ No newline at end of file
+          username: ${{ vars.DEB_PKG_BOT_CI_USERNAME }}