diff --git a/.github/actions/remote/Dockerfile b/.github/actions/remote/Dockerfile
new file mode 100644
index 0000000000..d3cc5d7757
--- /dev/null
+++ b/.github/actions/remote/Dockerfile
@@ -0,0 +1,7 @@
+# Intended to be run on a remote DOCKER_HOST
+ARG RUST_IMAGE=rust:1.37.0-buster
+FROM $RUST_IMAGE as build
+WORKDIR /usr/src/linkerd2-proxy
+COPY . ./
+RUN ["make", "fetch"]
+ENTRYPOINT ["make"]
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 66789e2cd7..a707bb85b6 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -26,8 +26,59 @@ jobs:
 
   integration:
     runs-on: ubuntu-18.04
-    container:
-      image: docker://rust:1.37.0-buster
     steps:
     - uses: actions/checkout@v1
-    - run: make test-integration
+
+    # Forks run in GitHub actions, as they don't have access to secrets.
+    - name: Test (Fork)
+      if: github.event.pull_request.head.repo.fork
+      run: make test-integration
+
+    # Create a build image on a Linkerd build host.
+    - name: Setup (Origin)
+      if: '!github.event.pull_request.head.repo.fork'
+      env:
+        DOCKER_HOST: "ssh://linkerd-docker"
+      run: |
+        mkdir -p ~/.ssh
+        # Create an identity file and protect before writing contents to it.
+        touch ~/.ssh/id && chmod 600 ~/.ssh/id
+        echo "${{ secrets.DOCKER_PRIVATE_KEY }}" >~/.ssh/id
+        # Use well-known public keys for the host to prevent middlemen.
+        echo "${{ secrets.DOCKER_KNOWN_HOSTS }}" >~/.ssh/known_hosts
+        # Configure host with ServerAliveInterval to ensure that the client
+        # stays alive even when the server is busy emitting nothing.
+        # ServerAliveCountMax ensures that server responds to these pings
+        # within ~5 minutes.
+        (
+          echo "Host linkerd-docker"
+          echo "    User github"
+          echo "    Hostname ${{ secrets.DOCKER_ADDRESS }}"
+          echo "    IdentityFile ~/.ssh/id"
+          echo "    BatchMode yes"
+          echo "    ServerAliveInterval 60"
+          echo "    ServerAliveCountMax 5"
+        ) >~/.ssh/config
+        # Confirm that the SSH configuration works.
+        ssh linkerd-docker docker version
+        # Build once with output, then build again to get the img ref (should
+        # be a noop).
+        docker build -f .github/actions/remote/Dockerfile .
+        docker build -qf .github/actions/remote/Dockerfile . >image.ref
+
+    # Use the previously built image to run tests.
+    - name: Test (Origin)
+      if: '!github.event.pull_request.head.repo.fork'
+      env:
+        DOCKER_HOST: "ssh://linkerd-docker"
+      run: docker run --rm $(cat image.ref) test-integration
+
+    # Try to delete the build image.
+    - name: Cleanup (Origin)
+      if: always() && !github.event.pull_request.head.repo.fork
+      env:
+        DOCKER_HOST: "ssh://linkerd-docker"
+      run: |
+        if [ -f image.ref ]; then docker rmi -f $(cat image.ref)
+        else echo "skipped" >&2
+        fi