diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1932a662..981e71a8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -64,7 +64,10 @@ jobs:
         run: npx @grafana/levitate@latest is-compatible --path src/module.ts --target @grafana/data,@grafana/ui,@grafana/runtime
 
       # The plugin is signed here so it's possible to use the artifact produced by the job directly
+      # Forks are not allowed to get is signed so we skip this step (and job to upload the artifact)
+      # See also https://github.com/grafana/explore-profiles/issues/366)
       - name: Setup plugin signing
+        if: ${{ !github.event.pull_request.head.repo.fork }}
         uses: grafana/shared-workflows/actions/get-vault-secrets@main
         with:
           vault_instance: ops
@@ -73,6 +76,7 @@ jobs:
 
       # create MANIFEST in dist
       - name: Sign plugin
+        if: ${{ !github.event.pull_request.head.repo.fork }}
         run: yarn sign
         env:
           GRAFANA_ACCESS_POLICY_TOKEN: ${{ env.SIGN_PLUGIN_ACCESS_POLICY_TOKEN }}
@@ -145,6 +149,7 @@ jobs:
     # to push the package automatically without approval
     name: Upload to GCS
     needs: [end-to-end]
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     environment: ${{ github.event_name == 'push' && 'gcs-no-approval' || 'gcs' }}
     runs-on: ubuntu-latest
     outputs: