diff --git a/.github/workflows/auto_cherry_pick.yml b/.github/workflows/auto_cherry_pick.yml
index 15b3c13..e76ec7c 100644
--- a/.github/workflows/auto_cherry_pick.yml
+++ b/.github/workflows/auto_cherry_pick.yml
@@ -16,6 +16,13 @@ on:
         description: "Specify a script to run after audit fix"
         required: false
         default: "yarn build"
+      mode:
+        description: "Run mode: cherry-pick or verify"
+        required: false
+        default: "cherry-pick"
+
+  pull_request:
+    types: [opened, synchronize, labeled]
 
 permissions:
   contents: write
@@ -25,6 +32,7 @@ permissions:
 
 jobs:
   cherry-pick:
+    if: github.event_name == 'workflow_dispatch' || contains(fromJson(toJson(github.event.pull_request.labels)).*.name, 'review-required')
     uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@v1
     with:
       original-owner: "changesets"
@@ -32,3 +40,4 @@ jobs:
       base_branch: ${{ inputs.base_branch }}
       package_manager: "yarn"
       script: ${{ inputs.script || 'yarn build' }}
+      mode: ${{ github.event_name == 'pull_request' && 'verify' || inputs.mode }}