diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ae9630c7a..398cf203d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -105,9 +105,9 @@ jobs:
       contents: read
       security-events: write # for reporting vulnerabilities via code-scanning API
     with:
-      # Use PR head branch (the feature branch) when running from a pull_request event.
-      # Fallback to github.head_ref (sanity) or ref name for other contexts.
-      target-branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref_name }}
+      # Use PR head SHA for pull requests (supports PRs from forks).
+      # Fallback to ref name for other contexts.
+      target-branch: ${{ github.event.pull_request.head.sha || github.ref_name }}
 
   unit-test:
     name: Unit Tests
diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
index 7e1c06f52..f83a85091 100644
--- a/.github/workflows/vulncheck.yml
+++ b/.github/workflows/vulncheck.yml
@@ -23,16 +23,17 @@ jobs:
     runs-on: ubuntu-22.04
     permissions:
       security-events: write # for reporting vulnerabilities via code-scanning API
+    env:
+      GOPROXY: "https://proxy.golang.org,direct"
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           fetch-depth: 0
-          # For a pull_request event use the PR head branch (github.head_ref)
-          # to this ensures vulncheck runs against the feature branch.
-          # Otherwise, fall back to inputs.target-branch, github.ref_name, then 'main'.
-          ref: ${{ (github.event_name == 'pull_request' && github.head_ref) || inputs.target-branch || github.ref_name || 'main' }}
+          # Use inputs.target-branch which can be a branch name or SHA.
+          # Falls back to github.ref_name or 'main' if not provided.
+          ref: ${{ inputs.target-branch || github.ref_name || 'main' }}
 
       - name: Check Go version
         id: get-go-version
diff --git a/internal/file/external_file_operator.go b/internal/file/external_file_operator.go
index f9403d309..5306494c4 100644
--- a/internal/file/external_file_operator.go
+++ b/internal/file/external_file_operator.go
@@ -21,6 +21,7 @@ import (
 	"github.com/gabriel-vasile/mimetype"
 	mpi "github.com/nginx/agent/v3/api/grpc/mpi/v1"
 	"github.com/nginx/agent/v3/internal/model"
+	"github.com/nginx/agent/v3/pkg/files"
 )
 
 type ExternalFileOperator struct {
@@ -50,6 +51,7 @@ func (efo *ExternalFileOperator) DownloadExternalFile(ctx context.Context, fileA
 	var contentToWrite []byte
 	var downloadErr, updateError error
 	var headers DownloadHeader
+	var hash string
 
 	contentToWrite, headers, downloadErr = efo.downloadFileContent(ctx, fileAction.File)
 
@@ -93,6 +95,12 @@ func (efo *ExternalFileOperator) DownloadExternalFile(ctx context.Context, fileA
 		return fmt.Errorf("failed to write downloaded content to temp file %s: %w", filePath, writeErr)
 	}
 
+	hash = files.GenerateHash(contentToWrite)
+	slog.InfoContext(ctx, "Successfully downloaded external file",
+		"event_tag", externalFileEventTag,
+		"location", location,
+		"hash", hash)
+
 	return nil
 }
 
diff --git a/internal/file/file_manager_service.go b/internal/file/file_manager_service.go
index fce1cd089..5dc2a71a8 100644
--- a/internal/file/file_manager_service.go
+++ b/internal/file/file_manager_service.go
@@ -41,6 +41,8 @@ const (
 	dirPerm     = 0o755
 	filePerm    = 0o600
 	executePerm = 0o111
+	// externalFileEventTag is used for internal event generation
+	externalFileEventTag = "ID-1310"
 )
 
 type DownloadHeader struct {
@@ -651,6 +653,7 @@ func (fms *FileManagerService) executeFileActions(ctx context.Context) (actionEr
 	return actionError
 }
 
+//nolint:revive // adding error logs increased cog. complexity
 func (fms *FileManagerService) downloadUpdatedFilesToTempLocation(ctx context.Context) (updateError error) {
 	var downloadFiles []*model.FileCache
 	for _, fileAction := range fms.fileActions {
@@ -674,7 +677,15 @@ func (fms *FileManagerService) downloadUpdatedFilesToTempLocation(ctx context.Co
 
 			switch fileAction.Action {
 			case model.ExternalFile:
-				return fms.externalFileOperator.DownloadExternalFile(errGroupCtx, fileAction, tempFilePath)
+				err := fms.externalFileOperator.DownloadExternalFile(errGroupCtx, fileAction, tempFilePath)
+				if err != nil {
+					slog.ErrorContext(ctx, "Failed to download external file",
+						"event_tag", externalFileEventTag,
+						"location", fileAction.File.GetExternalDataSource().GetLocation(),
+						"err", err)
+				}
+
+				return err
 			case model.Add, model.Update:
 				slog.DebugContext(
 					errGroupCtx,