diff --git a/.github/workflows/cpu-tests.yml b/.github/workflows/cpu-tests.yml
index fbe8fb21d7..8a42e93a4c 100644
--- a/.github/workflows/cpu-tests.yml
+++ b/.github/workflows/cpu-tests.yml
@@ -67,13 +67,14 @@ jobs:
           python -c "$modules"
 
   pytester:
-    # skip PR trigger if secrets are not shared as for all forked PRs
+    # Route PRs based on contributor type to avoid duplicate runs:
+    # - Collaborators: use pull_request (tests workflow changes from PR)
+    # - External forks: use pull_request_target (uses trusted workflow from main)
+    # - Always run for push to main and workflow_dispatch
     if: |
-      github.event_name != 'pull_request' ||
-      (
-        github.event_name == 'pull_request' &&
-        contains('OWNER,MEMBER,COLLABORATOR', github.event.pull_request.author_association)
-      )
+      (github.event_name == 'pull_request' && contains('OWNER,MEMBER,COLLABORATOR', github.event.pull_request.author_association)) ||
+      (github.event_name == 'pull_request_target' && !contains('OWNER,MEMBER,COLLABORATOR', github.event.pull_request.author_association)) ||
+      (github.event_name != 'pull_request' && github.event_name != 'pull_request_target')
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -137,11 +138,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [pytester, testing-imports]
     if: |
-      github.event_name == 'pull_request_target' ||
-      (
-        github.event_name == 'pull_request' &&
-        contains('OWNER,MEMBER,COLLABORATOR', github.event.pull_request.author_association)
-      )
+      (github.event_name == 'pull_request_target' && !contains('OWNER,MEMBER,COLLABORATOR', github.event.pull_request.author_association)) ||
+      (github.event_name == 'pull_request' && contains('OWNER,MEMBER,COLLABORATOR', github.event.pull_request.author_association))
     steps:
       - run: echo "${{ needs.pytester.result }}"
       - name: failing...