diff --git a/.github/workflows/test-db-changes.yml b/.github/workflows/test-db-changes.yml
index e00e8af54..79cf7f6db 100644
--- a/.github/workflows/test-db-changes.yml
+++ b/.github/workflows/test-db-changes.yml
@@ -85,10 +85,13 @@ jobs:
 
     - name: Prevent hosts foreign keys
       run: |
-        MATCHES=$(git diff --name-only origin/main | grep "migrations/" | xargs grep -i -E 'references\s*hosts\s*\(\s*id\s*\)' )
-        if [ -n "$MATCHES" ]; then
-          echo "❌ fail: hosts foreign keys are not allowed"
-          echo "$MATCHES"
-          echo "Ref: https://github.com/fleetdm/fleet/blob/main/handbook/engineering/scaling-fleet.md#foreign-keys-and-locking"
-          exit 1
+        # grep exits with an error code if it doesn't find a match, so this condition
+        # is only true if it a) finds a matching migrations file in the diff, and b)
+        # finds an FK to hosts in one of the migrations files.
+        #
+        # grep prints the matches, which will help figure out where those references are.
+        if git diff --name-only origin/main | grep "migrations/" | xargs grep -i -E 'references\s*hosts\s*\(\s*id\s*\)' ; then
+        	echo "❌ fail: hosts foreign keys are not allowed"
+        	echo "Ref: https://github.com/fleetdm/fleet/blob/main/handbook/engineering/scaling-fleet.md#foreign-keys-and-locking"
+        	exit 1
         fi