diff --git a/.github/workflows/dev-build-pr.yml b/.github/workflows/dev-build-pr.yml
index 14309b94..9d5cb1be 100644
--- a/.github/workflows/dev-build-pr.yml
+++ b/.github/workflows/dev-build-pr.yml
@@ -25,9 +25,16 @@ jobs:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
+          ref: "refs/pull/${{ github.event.number }}/merge"
           token: ${{ secrets.UESDK_PULLER || github.token }}
           submodules: recursive
+          persist-credentials: false
 
+      # Important security check: https://github.com/actions/checkout/issues/518
+      - name: Sanity check
+        run: |
+          [[ "$(git rev-parse 'HEAD^')" == "${{ github.event.pull_request.head.sha }}" ]]
+      
       - name: Configure CMake
         run: cmake -S ${{github.workspace}} -B ${{github.workspace}}/build -G "Visual Studio 17 2022" -A x64 -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
 
diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml
index 8a321335..f6e196a0 100644
--- a/.github/workflows/dev-release.yml
+++ b/.github/workflows/dev-release.yml
@@ -14,6 +14,7 @@ jobs:
         with:
           token: ${{ secrets.UESDK_PULLER }}
           submodules: recursive
+          persist-credentials: false
 
       - name: Configure CMake
         run: cmake -S ${{github.workspace}} -B ${{github.workspace}}/build -G "Visual Studio 17 2022" -A x64 -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
@@ -29,6 +30,7 @@ jobs:
         with:
           repository: praydog/uevr-frontend
           path: frontend
+          persist-credentials: false
 
       - name: Set up dotnet
         uses: actions/setup-dotnet@v1