diff --git a/.github/workflows/external-message.yml b/.github/workflows/external-message.yml
index 1970735f9..28e61503c 100644
--- a/.github/workflows/external-message.yml
+++ b/.github/workflows/external-message.yml
@@ -17,6 +17,10 @@ jobs:
     permissions:
       pull-requests: write
 
+    # Only run this job for PRs from forks.
+    # Integration tests are not run automatically for PRs from forks.
+    if: "${{ github.event.pull_request.head.repo.fork }}"
+
     steps:
       - uses: actions/checkout@v4
 
@@ -43,7 +47,7 @@ jobs:
         run: |
           gh pr comment ${{ github.event.pull_request.number }} --body \
           "<!-- INTEGRATION_TESTS_MANUAL -->
-          If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:
+          An authorized user can trigger integration tests manually by following the instructions below:
 
           Trigger:
           [go/deco-tests-run/cli](https://go/deco-tests-run/cli)
diff --git a/.github/workflows/integration-pr.yml b/.github/workflows/integration-pr.yml
index bf2dcd8bc..c1e3a9a29 100644
--- a/.github/workflows/integration-pr.yml
+++ b/.github/workflows/integration-pr.yml
@@ -5,36 +5,17 @@ on:
     types: [opened, synchronize]
 
 jobs:
-  check-token:
-    runs-on: ubuntu-latest
-    environment: "test-trigger-is"
-
-    outputs:
-      has_token: ${{ steps.set-token-status.outputs.has_token }}
-
-    steps:
-      - name: Check if DECO_WORKFLOW_TRIGGER_APP_ID is set
-        id: set-token-status
-        run: |
-          if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ]; then
-            echo "DECO_WORKFLOW_TRIGGER_APP_ID is empty. User has no access to secrets."
-            echo "::set-output name=has_token::false"
-          else
-            echo "DECO_WORKFLOW_TRIGGER_APP_ID is set. User has access to secrets."
-            echo "::set-output name=has_token::true"
-          fi
-
   # Trigger for pull requests.
   #
   # This workflow triggers the integration test workflow in a different repository.
   # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
-  # It depends on the "check-token" workflow to confirm access to this environment to avoid failures.
   trigger:
     runs-on: ubuntu-latest
     environment: "test-trigger-is"
 
-    if: needs.check-token.outputs.has_token == 'true'
-    needs: check-token
+    # Only run this job for PRs from branches on the main repository and not from forks.
+    # Workflows triggered by PRs from forks don't have access to the "test-trigger-is" environment.
+    if: "${{ !github.event.pull_request.head.repo.fork }}"
 
     steps:
       - name: Generate GitHub App Token
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index f7c4d5456..a4a35420a 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+env:
+  GOTESTSUM_FORMAT: github-actions
+
 jobs:
   tests:
     runs-on: ${{ matrix.os }}
diff --git a/Makefile b/Makefile
index b6a62765f..f8b725900 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,8 @@ default: build
 
 PACKAGES=./libs/... ./internal/... ./cmd/... ./bundle/... .
 
+GOTESTSUM_FORMAT ?= pkgname-and-test-fails
+
 lint:
 	./lint.sh ./...
 
@@ -9,10 +11,10 @@ lintcheck:
 	golangci-lint run ./...
 
 test:
-	gotestsum --format pkgname-and-test-fails --no-summary=skipped -- ${PACKAGES}
+	gotestsum --format ${GOTESTSUM_FORMAT} --no-summary=skipped -- ${PACKAGES}
 
 cover:
-	gotestsum --format pkgname-and-test-fails --no-summary=skipped -- -coverprofile=coverage.txt ${PACKAGES}
+	gotestsum --format ${GOTESTSUM_FORMAT} --no-summary=skipped -- -coverprofile=coverage.txt ${PACKAGES}
 
 showcover:
 	go tool cover -html=coverage.txt
diff --git a/go.mod b/go.mod
index 2dda0cd60..86bc1c368 100644
--- a/go.mod
+++ b/go.mod
@@ -68,7 +68,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/api v0.182.0 // indirect
diff --git a/go.sum b/go.sum
index 1e806ea03..f6cf79607 100644
--- a/go.sum
+++ b/go.sum
@@ -204,8 +204,8 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
 golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=