diff --git a/.github/workflows/command-compile.yml b/.github/workflows/command-compile.yml
index 89f3f2718595f..c071899bd02ce 100644
--- a/.github/workflows/command-compile.yml
+++ b/.github/workflows/command-compile.yml
@@ -26,6 +26,12 @@ jobs:
       base_ref: ${{ steps.comment-branch.outputs.base_ref }}
 
     steps:
+      - name: Disabled on forks
+        if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+        run: |
+          echo 'Can not execute /compile on forks'
+          exit 1
+
       - name: Check actor permission
         uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v2
         with:
@@ -57,6 +63,15 @@ jobs:
         uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v1
         id: comment-branch
 
+      - name: Add reaction on failure
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        if: failure()
+        with:
+          token: ${{ secrets.COMMAND_BOT_PAT }}
+          repository: ${{ github.event.repository.full_name }}
+          comment-id: ${{ github.event.comment.id }}
+          reactions: "-1"
+
   process:
     runs-on: ubuntu-latest
     needs: init
@@ -95,7 +110,7 @@ jobs:
 
       - name: Set up npm ${{ steps.package-engines-versions.outputs.npmVersion }}
         run: npm i -g 'npm@${{ steps.package-engines-versions.outputs.npmVersion }}'
-      
+
       - name: Rebase to ${{ needs.init.outputs.base_ref }}
         if: ${{ contains(needs.init.outputs.arg1, 'rebase') }}
         run: |
@@ -115,7 +130,7 @@ jobs:
         run: |
           git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}'
           git commit --signoff -m 'chore(assets): Recompile assets'
- 
+
       - name: Commit fixup
         if: ${{ contains(needs.init.outputs.arg1, 'fixup') }}
         run: |
@@ -129,7 +144,7 @@ jobs:
           git commit --amend --no-edit --signoff
           # Remove any [skip ci] from the amended commit
           git commit --amend -m "$(git log -1 --format='%B' | sed '/\[skip ci\]/d')"
- 
+
       - name: Push normally
         if: ${{ !contains(needs.init.outputs.arg1, 'rebase') && !contains(needs.init.outputs.arg1, 'amend') }}
         run: git push origin '${{ needs.init.outputs.head_ref }}'
diff --git a/.github/workflows/command-pull-3rdparty.yml b/.github/workflows/command-pull-3rdparty.yml
index 06f6228fb5637..5090193d424fc 100644
--- a/.github/workflows/command-pull-3rdparty.yml
+++ b/.github/workflows/command-pull-3rdparty.yml
@@ -27,6 +27,12 @@ jobs:
           comment-id: ${{ github.event.comment.id }}
           reactions: '+1'
 
+      - name: Disabled on forks
+        if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+        run: |
+          echo 'Can not execute /update-3rdparty on forks'
+          exit 1
+
       - name: Init branch
         uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v1
         id: comment-branch
diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml
index 2f4d557d19bbe..7c37accb46522 100644
--- a/.github/workflows/cypress.yml
+++ b/.github/workflows/cypress.yml
@@ -32,6 +32,12 @@ jobs:
       PUPPETEER_SKIP_DOWNLOAD: true
 
     steps:
+      - name: Disabled on forks
+        if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+        run: |
+          echo 'Can not run cypress on forks'
+          exit 1
+
       - name: Checkout server
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml
index 0d6b2c26d156b..efe8bfe37f78d 100644
--- a/.github/workflows/dependabot-approve-merge.yml
+++ b/.github/workflows/dependabot-approve-merge.yml
@@ -31,6 +31,12 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Disabled on forks
+        if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+        run: |
+          echo 'Can not approve PRs from forks'
+          exit 1
+
       # GitHub actions bot approve
       - uses: hmarr/auto-approve-action@b40d6c9ed2fa10c9a2749eca7eb004418a705501 # v2
         with:
diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
index d879dfe641fa9..0b1f4acb3b88a 100644
--- a/.github/workflows/performance.yml
+++ b/.github/workflows/performance.yml
@@ -22,6 +22,12 @@ jobs:
     name: performance-${{ matrix.php-versions }}
 
     steps:
+      - name: Disabled on forks
+        if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+        run: |
+          echo 'Can not run performance tests on forks'
+          exit 1
+
       - name: Checkout server before PR
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
diff --git a/.github/workflows/update-psalm-baseline-approve-merge.yml b/.github/workflows/update-psalm-baseline-approve-merge.yml
index 5042c9de161ce..980e0f78d8c4a 100644
--- a/.github/workflows/update-psalm-baseline-approve-merge.yml
+++ b/.github/workflows/update-psalm-baseline-approve-merge.yml
@@ -27,6 +27,12 @@ jobs:
       contents: write
 
     steps:
+      - name: Disabled on forks
+        if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+        run: |
+          echo 'Can not approve PRs from forks'
+          exit 1
+
       - uses: mdecoleman/pr-branch-name@bab4c71506bcd299fb350af63bb8e53f2940a599 # v2.0.0
         id: branchname
         with: