diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index 9356968..5768127 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -174,12 +174,12 @@ jobs:
           ls "${ISO}".part-*
 
       - name: Install cosign
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
         # Pinned to last v3 release confirmed node20.
         uses: sigstore/cosign-installer@v3.7.0
 
       - name: Sign ISO parts (keyless)
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
         run: |
           cd build/out
           for f in *.part-*; do
@@ -189,7 +189,7 @@ jobs:
           done
 
       - name: Generate SBOM (SPDX)
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
         # Pinned to last v0.17 release that ships node20.
         uses: anchore/sbom-action@v0.17.2
         with:
@@ -198,7 +198,7 @@ jobs:
           output-file: build/out/veilor-os.spdx.json
 
       - name: Build provenance attestation
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
         # Pinned to last v2.2 release that ships node20.
         uses: actions/attest-build-provenance@v2.2.3
         with: