diff --git a/.github/workflows/external-message.yml b/.github/workflows/external-message.yml
index fca26498..62eea965 100644
--- a/.github/workflows/external-message.yml
+++ b/.github/workflows/external-message.yml
@@ -11,6 +11,9 @@ on:
     branches:
       - main
 
+  pull_request:
+    types: [opened, reopened, synchronize]
+
 
 
 jobs:
@@ -18,20 +21,69 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
+
     steps:
-      - name: Check if external contribution
-        id: check_fork
+      # NOTE: This is not 100% accurate, but it should work for most cases.
+      - name: Check user and potential secret access
+        id: check-secrets-access
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
-            echo "is_fork=true" >> $GITHUB_OUTPUT
+          USER_LOGIN="${{ github.event.pull_request.user.login }}"
+          REPO_OWNER="${{ github.repository_owner }}"
+          REPO_NAME="${{ github.event.repository.name }}"
+          
+          echo "Pull request opened by: $USER_LOGIN"
+          
+          # Check if PR is from a fork
+          IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
+          
+          HAS_ACCESS="false"
+          
+          # Check user's permission level on the repository
+          USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
+          
+          if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
+            HAS_ACCESS="true"
+          elif [[ "$USER_PERMISSION" == "read" ]]; then
+            # For read access, we need to check if the user has been explicitly granted secret access
+            # This information is not directly available via API, so we'll make an assumption
+            # that read access does not imply secret access
+            HAS_ACCESS="false"
+          fi
+          
+          # Check if repo owner is an organization
+          IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
+          
+          if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
+            # Check if user is a member of any team with write or admin access to the repo
+            TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
+            for team in $TEAMS_WITH_ACCESS; do
+              IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
+              if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
+                HAS_ACCESS="true"
+                break
+              fi
+            done
+          fi
+          
+          # If it's a fork, set HAS_ACCESS to false regardless of other checks
+          if [[ "$IS_FORK" == "true" ]]; then
+            HAS_ACCESS="false"
+          fi
+          
+          echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
+          if [[ "$HAS_ACCESS" == "true" ]]; then
+            echo "User $USER_LOGIN likely has access to secrets"
           else
-            echo "is_fork=false" >> $GITHUB_OUTPUT
+            echo "User $USER_LOGIN likely does not have access to secrets"
           fi
 
+
       - uses: actions/checkout@v4
 
       - name: Delete old comments
-        if: steps.check_fork.outputs.is_fork == 'true'
+        if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
         env:
            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -48,9 +100,10 @@ jobs:
             fi
 
       - name: Comment on PR
-        if: steps.check_fork.outputs.is_fork == 'true'
+        if: steps.check-secrets-access.outputs.is_fork != 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           gh pr comment ${{ github.event.pull_request.number }} --body \
           "<!-- INTEGRATION_TESTS -->
@@ -58,8 +111,8 @@ jobs:
           [go/deco-tests-run/sdk-go](https://go/deco-tests-run/sdk-go)
 
           Inputs:
-          PR Number:${{github.event.pull_request.number}}
-          Commit SHA:${{ github.event.pull_request.head.sha }}
+          * PR number: ${{github.event.pull_request.number}}
+          * Commit SHA: \`${{ env.COMMIT_SHA }}\`
           
           Checks will be approved automatically on success.
           "
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 870cccc6..8697bdbf 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -9,11 +9,28 @@ on:
   
 
 jobs:
-  # Secrets are not available for forks.
+  check-token:
+    name: Check secrets access
+    runs-on: ubuntu-latest
+    outputs:
+      has_token: ${{ steps.set-token-status.outputs.has_token }}
+    steps:
+      - name: Check if GITHUB_TOKEN is set
+        id: set-token-status
+        run: |
+          if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
+            echo "GITHUB_TOKEN is empty. User has no access to tokens."
+            echo "::set-output name=has_token::true"
+          else
+            echo "GITHUB_TOKEN is set. User has no access to tokens."
+            echo "::set-output name=has_token::false"
+          fi
+
   trigger-tests:
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
     name: Trigger Tests
     runs-on: ubuntu-latest
+    needs: check-token
+    if: github.event_name == 'pull_request'  && needs.check-token.outputs.has_token == 'true'
     environment: "test-trigger-is"
     
     steps: