diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
index 4e61298415..b9217692a6 100644
--- a/.github/workflows/artifacts.yaml
+++ b/.github/workflows/artifacts.yaml
@@ -8,6 +8,10 @@ on:
         default: false
         required: false
         type: boolean
+      untrusted_source:
+        description: Whether the source is untrusted (e.g. running from a fork)
+        required: true
+        type: boolean
     outputs:
       container-image-name:
         description: Container image name
@@ -92,7 +96,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           push: ${{ inputs.publish }}
-          save: true
+          save: ${{ not inputs.untrusted_source }}
           project: ${{ vars.DEPOT_PROJECT }}
 
       - name: Set image ref
@@ -104,6 +108,7 @@ jobs:
 
       - name: Retrieve pull token
         id: pull-token
+        if: not inputs.untrusted_source
         run: |
           PULL_TOKEN="$(depot pull-token --project ${VARS_DEPOT_PROJECT})"
           echo "token=$PULL_TOKEN" >> "$GITHUB_OUTPUT"
@@ -199,7 +204,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           push: ${{ inputs.publish }}
-          save: true
+          save: ${{ not inputs.untrusted_source }}
           project: ${{ vars.DEPOT_PROJECT }}
 
       - name: Set image ref
@@ -211,6 +216,7 @@ jobs:
 
       - name: Retrieve pull token
         id: pull-token
+        if: not inputs.untrusted_source
         run: |
           PULL_TOKEN="$(depot pull-token --project ${VARS_DEPOT_PROJECT})"
           echo "token=$PULL_TOKEN" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 51a6caf901..8bf1d08fd0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -370,6 +370,8 @@ jobs:
     uses: ./.github/workflows/artifacts.yaml
     with:
       publish: ${{ github.event_name == 'push' }}
+      # detect if the source is a fork
+      untrusted_source: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     permissions:
       contents: read
       packages: write
@@ -420,6 +422,7 @@ jobs:
           persist-credentials: false
 
       - name: Create override files for quickstart
+        if: github.event.pull_request.head.repo.full_name == github.repository
         env:
           DEPOT_IMAGE_URL: ${{ needs.artifacts.outputs.container-image-url-depot }}
         run: |
@@ -441,6 +444,24 @@ jobs:
 
           cat quickstart/docker-compose.override.yaml
 
+      - name: Build as part of quickstart
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          cat > quickstart/docker-compose.override.yaml <<EOF
+          services:
+            openmeter:
+              build: ..
+            sink-worker:
+              build: ..
+            balance-worker:
+              build: ..
+            notification-service:
+              build: ..
+            billing-worker:
+              build: ..
+            openmeter-jobs:
+              build: ..
+          EOF
       - name: Launch Docker Compose
         run: docker compose -f docker-compose.yaml -f docker-compose.override.yaml up -d
         working-directory: quickstart
@@ -512,6 +533,7 @@ jobs:
       - name: Create override files for e2e
         env:
           DEPOT_IMAGE_URL: ${{ needs.artifacts.outputs.container-image-url-depot }}
+        if: github.event.pull_request.head.repo.full_name == github.repository
         run: |
           cat > e2e/docker-compose.override.yaml <<EOF
           services:
@@ -523,6 +545,19 @@ jobs:
 
           cat e2e/docker-compose.override.yaml
 
+      - name: Build as part of e2e
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          cat > e2e/docker-compose.override.yaml <<EOF
+          services:
+            openmeter:
+              build: ..
+            sink-worker:
+              build: ..
+          EOF
+
+          cat e2e/docker-compose.override.yaml
+
       - name: Launch Docker Compose infra
         run: docker compose -f docker-compose.infra.yaml -f docker-compose.openmeter.yaml -f docker-compose.override.yaml up -d
         working-directory: e2e