diff --git a/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png b/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png
new file mode 100644
index 000000000000..c142169c7f7f
Binary files /dev/null and b/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png differ
diff --git a/content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md b/content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md
new file mode 100644
index 000000000000..a41d459b53f6
--- /dev/null
+++ b/content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md
@@ -0,0 +1,19 @@
+---
+title: Approving workflow runs from public forks
+intro: 'When a first-time contributor submits a pull request to a public repository, a maintainer with write access must approve any workflow runs.'
+product: '{% data reusables.gated-features.actions %}'
+versions:
+  free-pro-team: '*'
+---
+
+Forks of public repositories can submit pull requests that propose changes to a repository's {% data variables.product.prodname_actions %} workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes. To help prevent this, workflows on pull requests are not run automatically if they are received from first-time contributors, and must be approved first.
+
+Maintainers with write access to the repository can use the following procedure to review and run workflows on pull requests from first-time contributors. After a contributor has at least one pull request merged into a project's repository, any future pull requests from that contributor's fork will automatically run workflows.
+
+{% data reusables.repositories.sidebar-pr %}
+{% data reusables.repositories.choose-pr-review %}
+{% data reusables.repositories.changed-files %}
+1. Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the `.github/workflows/` directory that affect workflow files.
+1. If you are comfortable with running workflows on the pull request branch, return to the {% octicon "comment-discussion" aria-label="The discussion icon" %} **Conversation** tab, and under "Workflow(s) awaiting approval", click **Approve and run**.
+
+   ![Approve and run workflows](/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png)
diff --git a/content/actions/managing-workflow-runs/index.md b/content/actions/managing-workflow-runs/index.md
index 2606df2f970c..2e9d5811969e 100644
--- a/content/actions/managing-workflow-runs/index.md
+++ b/content/actions/managing-workflow-runs/index.md
@@ -26,6 +26,7 @@ versions:
 {% link_in_list /manually-running-a-workflow %}
 {% link_in_list /re-running-a-workflow %}
 {% link_in_list /canceling-a-workflow %}
+{% link_in_list /approving-workflow-runs-from-public-forks %}
 {% link_in_list /reviewing-deployments %}
 {% link_in_list /disabling-and-enabling-a-workflow %}
 {% link_in_list /deleting-a-workflow-run %}
diff --git a/data/reusables/developer-site/pull_request_forked_repos_link.md b/data/reusables/developer-site/pull_request_forked_repos_link.md
index 54d745b497b9..3d29c028b4b0 100644
--- a/data/reusables/developer-site/pull_request_forked_repos_link.md
+++ b/data/reusables/developer-site/pull_request_forked_repos_link.md
@@ -10,6 +10,10 @@ When you create a pull request from a forked repository to the base repository,
 
 Workflows don't run on forked repositories by default. You must enable GitHub Actions in the **Actions** tab of the forked repository.
 
+{% if currentVersion == "free-pro-team@latest"%}
+When a first-time contributor submits a pull request to a public repository, a maintainer with write access must approve running workflows on the pull request. For more information, see "[Approving workflow runs from public forks](/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks)."
+{% endif %}
+
 {% data reusables.actions.forked-secrets %} The permissions for the `GITHUB_TOKEN` in forked repositories is read-only. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)."
 
 {% note %}