diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 2d544524862e2d..6d8489e86c472d 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -113,3 +113,4 @@
 /docs/area-owners.*                                 @jeffhandley
 /docs/issue*.md                                     @jeffhandley
 /.github/policies/                                  @jeffhandley @mkArtakMSFT
+/.github/workflows/                                 @jeffhandley @dotnet/runtime-infrastructure
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
new file mode 100644
index 00000000000000..f5e7799b30e2a2
--- /dev/null
+++ b/.github/workflows/README.md
@@ -0,0 +1,22 @@
+# Workflows
+
+General guidance:
+
+Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs.
+
+For workflows that are triggered by pull requests, refer to GitHub's documentation for the `pull_request` and `pull_request_target` events. The `pull_request_target` event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the `pull_request` event. There are security considerations with each of the events though.
+
+Most workflows are intended to run only in the `dotnet/runtime` repository and not in forks. To force workflow jobs to be skipped in forks, each job should apply an `if` statement that checks the repository name or owner. Either approach works, but checking only the repository owner allows the workflow to run in copies or forks withing the dotnet org.
+
+```yaml
+jobs:
+  job-1:
+    # Do not run this job in forks
+    if: github.repository == 'dotnet/runtime'
+
+  job-2:
+    # Do not run this job in forks outside the dotnet org
+    if: github.repository_owner == 'dotnet'
+```
+
+Refer to GitHub's [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) documentation for more information.
diff --git a/.github/workflows/check-no-merge-label.yml b/.github/workflows/check-no-merge-label.yml
index 1c01c2f7324175..d503400b0e154c 100644
--- a/.github/workflows/check-no-merge-label.yml
+++ b/.github/workflows/check-no-merge-label.yml
@@ -4,14 +4,14 @@ permissions:
   pull-requests: read
 
 on:
-  pull_request:
-    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types: [opened, reopened, labeled, unlabeled]
     branches:
-      - 'main'
       - 'release/**'
 
 jobs:
   check-labels:
+    if: github.repository == 'dotnet/runtime'
     runs-on: ubuntu-latest
     steps:
     - name: Check 'NO-MERGE' label
diff --git a/.github/workflows/check-service-labels.yml b/.github/workflows/check-service-labels.yml
index 2d85e4d278a393..c158ff6f1520d6 100644
--- a/.github/workflows/check-service-labels.yml
+++ b/.github/workflows/check-service-labels.yml
@@ -4,13 +4,14 @@ permissions:
   pull-requests: read
 
 on:
-  pull_request:
-    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types: [opened, reopened, labeled, unlabeled]
     branches:
       - 'release/**'
 
 jobs:
   check-labels:
+    if: github.repository == 'dotnet/runtime'
     runs-on: ubuntu-latest
     steps:
     - name: Check 'Servicing-approved' label
diff --git a/eng/pipelines/runtime-official.yml b/eng/pipelines/runtime-official.yml
index 55021be6e29ed4..e3c7dc5050005f 100644
--- a/eng/pipelines/runtime-official.yml
+++ b/eng/pipelines/runtime-official.yml
@@ -41,11 +41,11 @@ extends:
       # Localization build
       #
 
-      - ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/release/9.0') }}:
+      - ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
         - template: /eng/common/templates-official/job/onelocbuild.yml
           parameters:
             MirrorRepo: runtime
-            MirrorBranch: release/9.0
+            MirrorBranch: main
             LclSource: lclFilesfromPackage
             LclPackageId: 'LCL-JUNO-PROD-RUNTIME'
 
@@ -661,7 +661,7 @@ extends:
                 flattenFolders: true
 
             buildArgs: -s mono.workloads -c $(_BuildConfig) /p:PackageSource=$(Build.SourcesDirectory)/artifacts/workloadPackages /p:WorkloadOutputPath=$(Build.SourcesDirectory)/artifacts/workloads
-            
+
             postBuildSteps:
             # Upload packages wrapping msis
             - template: /eng/pipelines/common/upload-intermediate-artifacts-step.yml