diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2cf076a4..d9cc54c1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -41,14 +41,15 @@ jobs:
 
       - run: ./clippy.sh
 
+      # On the `aya-rs/aya` repository, regenerate the public API on a schedule.
+      #
+      # On all other events and repositories assert the public API is up to date.
       - run: cargo xtask public-api
-        if: github.event_name != 'schedule'
-
+        if: ${{ !(github.event_name == 'schedule' && github.repository == 'aya-rs/aya') }}
       - run: cargo xtask public-api --bless
-        if: github.event_name == 'schedule'
-
+        if: ${{ (github.event_name == 'schedule' && github.repository == 'aya-rs/aya') }}
       - uses: peter-evans/create-pull-request@v7
-        if: github.event_name == 'schedule'
+        if: ${{ (github.event_name == 'schedule' && github.repository == 'aya-rs/aya') }}
         with:
           # GitHub actions aren't allowed to trigger other actions to prevent
           # abuse; the canonical workaround is to use a sufficiently authorized
diff --git a/.github/workflows/gen.yml b/.github/workflows/gen.yml
index 416f72ef..e63ccc1b 100644
--- a/.github/workflows/gen.yml
+++ b/.github/workflows/gen.yml
@@ -2,7 +2,8 @@ name: codegen
 
 on:
   push:
-    branches-ignore: 'create-pull-request/**'
+    branches-ignore:
+      - 'create-pull-request/**'
 
   schedule:
     - cron: 00 4 * * *
@@ -40,6 +41,7 @@ jobs:
         run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
 
       - uses: peter-evans/create-pull-request@v7
+        if: ${{ github.repository == 'aya-rs/aya' }}
         with:
           # GitHub actions aren't allowed to trigger other actions to prevent
           # abuse; the canonical workaround is to use a sufficiently authorized