diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 70270243..44e0e25b 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -18,7 +18,12 @@ on:
     tags:
       - "v*"
 
-  pull_request:
+  # pull_request_target runs in the context of the base branch, giving the
+  # workflow access to repository secrets even for Dependabot PRs (which only
+  # receive Dependabot-scoped secrets under the plain pull_request event).
+  # The checkout step below pins to the PR head SHA so the actual PR code is
+  # tested, not the base-branch code.
+  pull_request_target:
     branches: [main, dev]
     types: [opened, synchronize, reopened]
 
@@ -38,10 +43,22 @@ jobs:
     runs-on: [self-hosted, e2e, azure]
     timeout-minutes: 45
     environment: e2e-testing
+    # For pull_request_target, only run when the PR originates from the same
+    # repository (team members) or from dependabot[bot].  External fork PRs
+    # must NOT receive repository secrets, even though pull_request_target
+    # would otherwise grant them access.
+    if: |
+      github.event_name != 'pull_request_target' ||
+      github.event.pull_request.head.repo.full_name == github.repository ||
+      github.actor == 'dependabot[bot]'
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          # Explicitly check out the PR head commit; with pull_request_target
+          # the default checkout is the base branch, not the PR branch.
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Go
         uses: actions/setup-go@v5