diff --git a/.github/workflows/conventional-commits.yaml b/.github/workflows/conventional-commits.yaml
index d11b1b1..cb75bfd 100644
--- a/.github/workflows/conventional-commits.yaml
+++ b/.github/workflows/conventional-commits.yaml
@@ -9,6 +9,8 @@ on:
 
 jobs:
   lint-pr-title:
+    # Prevent execution on forks
+    if: github.repository_owner == 'iExecBlockchainComputing'
     permissions:
       pull-requests: read
     uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/conventional-commits.yml@conventional-commits-v1.1.0
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 7f7e3f6..2886819 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -6,11 +6,15 @@ on:
     branches: [main]
     tags:
       - 'v*.*.*'
+  # can only be executed by people with write access on repository
+  workflow_dispatch:
 
 jobs:
   prepare:
     name: Determine image tag
     runs-on: ubuntu-latest
+    # Prevent execution on forks
+    if: github.repository_owner == 'iExecBlockchainComputing'
     outputs:
       image_tag: ${{ steps.determine-tag.outputs.image_tag }}
     steps:
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
index c565bf2..7a5fb14 100644
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -12,5 +12,7 @@ permissions:
 
 jobs:
   release-please:
+    # Prevent execution on forks
+    if: github.repository_owner == 'iExecBlockchainComputing'
     uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/release-please.yml@release-please-v2.0.0
     secrets: inherit