According to this thread, actions of a PR from a fork repo will be executed against the fork, and only if the fork is in the beta program.
I tested this by creating a test account (@huynguyendev) that is not in the beta. I then opened up a pull request to TextureGroup/Texture (which is in the beta) from my forked repo. The commit changes Texture’s worflow file to add pull_request event and voila, the workflow is now executed on my PR.
This has the potential of allowing bad actors to run their own scripts by simply opening up PRs on open source projects. Can someone verify if this is in fact intended behavior?