diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml
index 218ce24..e7a914d 100644
--- a/.github/workflows/ci-pipeline.yml
+++ b/.github/workflows/ci-pipeline.yml
@@ -1,4 +1,5 @@
 name: Unitify CI Pipeline
+
 on:
   pull_request:
     branches: [main]
@@ -17,8 +18,31 @@ permissions:
   contents: read
 
 jobs:
+  init:
+    name: initialize
+    runs-on: ubuntu-24.04
+    outputs:
+      run-privileged-jobs: ${{ steps.vars.outputs.run-privileged-jobs }}
+      strong-name-key-filename: ${{ steps.vars.outputs.strong-name-key-filename }}
+      build-switches: ${{ steps.vars.outputs.build-switches }}
+    steps:
+      - id: vars
+        name: calculate workflow variables
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
+            echo "run-privileged-jobs=false" >> "$GITHUB_OUTPUT"
+            echo "strong-name-key-filename=" >> "$GITHUB_OUTPUT"
+            echo "build-switches=-p:SkipSignAssembly=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "run-privileged-jobs=true" >> "$GITHUB_OUTPUT"
+            echo "strong-name-key-filename=unitify.snk" >> "$GITHUB_OUTPUT"
+            echo "build-switches=" >> "$GITHUB_OUTPUT"
+          fi
+
   build:
     name: call-build
+    needs: [init]
     strategy:
       matrix:
         arch: [X64, ARM64]
@@ -26,7 +50,8 @@ jobs:
     uses: codebeltnet/jobs-dotnet-build/.github/workflows/default.yml@v3
     with:
       configuration: ${{ matrix.configuration }}
-      strong-name-key-filename: unitify.snk
+      strong-name-key-filename: ${{ needs.init.outputs.strong-name-key-filename }}
+      build-switches: ${{ needs.init.outputs.build-switches }}
       runs-on: ${{ matrix.arch == 'ARM64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
       upload-build-artifact-name: build-${{ matrix.configuration }}-${{ matrix.arch }}
     secrets: inherit
@@ -78,8 +103,9 @@ jobs:
       download-pattern: build-${{ matrix.configuration }}-${{ matrix.arch }}
 
   sonarcloud:
+    if: ${{ needs.init.outputs.run-privileged-jobs == 'true' }}
     name: call-sonarcloud
-    needs: [build,test_linux,test_windows]
+    needs: [init, build, test_linux, test_windows]
     uses: codebeltnet/jobs-sonarcloud/.github/workflows/default.yml@v3
     with:
       organization: geekle
@@ -88,16 +114,18 @@ jobs:
     secrets: inherit
 
   codecov:
+    if: ${{ needs.init.outputs.run-privileged-jobs == 'true' }}
     name: call-codecov
-    needs: [build,test_linux,test_windows]
+    needs: [init, build, test_linux, test_windows]
     uses: codebeltnet/jobs-codecov/.github/workflows/default.yml@v1
     with:
       repository: codebeltnet/unitify
     secrets: inherit
-          
+
   codeql:
+    if: ${{ needs.init.outputs.run-privileged-jobs == 'true' }}
     name: call-codeql
-    needs: [build,test_linux,test_windows]
+    needs: [init, build, test_linux, test_windows]
     uses: codebeltnet/jobs-codeql/.github/workflows/default.yml@v3
     permissions:
       security-events: write