diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 71d62f4dc5b5..8ad14e2686f3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,7 +1,13 @@
 name: "CodeQL"
 
 on:
-  workflow_call: {}
+  workflow_call:
+    inputs:
+      publish:
+        type: boolean
+        description: "Publish SARIF"
+        default: true
+
   workflow_dispatch: {}
   push:
     branches: ["master"]
diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
index a7cd494d7e69..42bd70976791 100644
--- a/.github/workflows/on.pr.yml
+++ b/.github/workflows/on.pr.yml
@@ -26,7 +26,7 @@ jobs:
       contents: write
       id-token: write
     with:
-      provenance: true
+      provenance: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}
       provenance_publish: false
       snapshot: false
 
@@ -62,3 +62,5 @@ jobs:
       actions: read
       contents: read
       security-events: write
+    with:
+      publish: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}