diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index e317903c2f8d..54360b2dd6f8 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -4,10 +4,10 @@ on:
   workflow_call:
     inputs:
       baseBranch:
-        required: true
+        required: false
         type: string
       headBranch:
-        required: true
+        required: false
         type: string
       mergedSha:
         required: true
@@ -27,6 +27,7 @@ defaults:
 
 jobs:
   commits:
+    if: inputs.baseBranch && inputs.headBranch
     permissions:
       pull-requests: write
     runs-on: ubuntu-24.04-arm
diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml
index 05fde3617c15..3661f4c32429 100644
--- a/.github/workflows/merge-group.yml
+++ b/.github/workflows/merge-group.yml
@@ -56,6 +56,19 @@ jobs:
             core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`)
             core.setOutput('systems', require('./ci/supportedSystems.json'))
 
+  check:
+    name: Check
+    needs: [prepare]
+    uses: ./.github/workflows/check.yml
+    permissions:
+      # cherry-picks; formality right now, but unused
+      pull-requests: write
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+    with:
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}
+
   lint:
     name: Lint
     needs: [prepare]
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 727a9f965845..a48cc57b44e0 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -82,6 +82,7 @@ jobs:
     uses: ./.github/workflows/merge-group.yml
     # Those are actually only used on the merge_group event, but will throw an error if not set.
     permissions:
+      pull-requests: write
       statuses: write
     secrets:
       CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}