diff --git a/.github/workflows/test-go-generate.yml b/.github/workflows/test-go-generate.yml
index 4e4dbf527..05b8156b8 100644
--- a/.github/workflows/test-go-generate.yml
+++ b/.github/workflows/test-go-generate.yml
@@ -17,7 +17,7 @@ jobs:
         with:
           path: constellation
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-          token: ${{ secrets.TIDY_RENOVATE_PUSH }}
+          token: ${{ !github.event.pull_request.head.repo.fork && secrets.TIDY_RENOVATE_PUSH || '' }}
 
       - name: Setup Go
         uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
@@ -54,7 +54,11 @@ jobs:
           git diff --exit-code
 
       - name: Push changes on renovate branch
-        if: failure() && (steps.generatecheck.conclusion == 'failure') && startsWith(github.head_ref, 'renovate/')
+        if: |
+          failure() &&
+          (steps.generatecheck.conclusion == 'failure')
+          && startsWith(github.head_ref, 'renovate/') &&
+          !github.event.pull_request.head.repo.fork
         shell: bash
         working-directory: constellation
         run: |
diff --git a/.github/workflows/test-tidy.yml b/.github/workflows/test-tidy.yml
index 63bb7ef36..c5732d31c 100644
--- a/.github/workflows/test-tidy.yml
+++ b/.github/workflows/test-tidy.yml
@@ -25,7 +25,8 @@ jobs:
         uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-          token: ${{ secrets.TIDY_RENOVATE_PUSH }}
+          # No token available for forks, so we can't push changes
+          token: ${{ !github.event.pull_request.head.repo.fork && secrets.TIDY_RENOVATE_PUSH || '' }}
 
       - name: Setup Go environment
         uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
@@ -51,7 +52,11 @@ jobs:
       # modules again and commit the changes, so the user doesn't need to do it.
 
       - name: Tidy modules on renovate branches
-        if: ${{ failure() && (steps.tidycheck.conclusion == 'failure') && startsWith(github.head_ref, 'renovate/') }}
+        if: |
+          failure() &&
+          (steps.tidycheck.conclusion == 'failure') &&
+          startsWith(github.head_ref, 'renovate/') &&
+          !github.event.pull_request.head.repo.fork
         shell: bash
         run: |
           mods="${{ steps.submods.outputs.submods }}"
@@ -60,7 +65,11 @@ jobs:
           done
 
       - name: Push changes
-        if: ${{ failure() && (steps.tidycheck.conclusion == 'failure') && startsWith(github.head_ref, 'renovate/') }}
+        if: |
+          failure() &&
+          (steps.tidycheck.conclusion == 'failure') &&
+          startsWith(github.head_ref, 'renovate/') &&
+          !github.event.pull_request.head.repo.fork
         shell: bash
         run: |
           git config --global user.name "renovate[bot]"