From 984bb30cb9e2047904923bf82f3931e4f92dffae Mon Sep 17 00:00:00 2001
From: Raj-StepSecurity <rajkumar@stepsecurity.io>
Date: Mon, 5 Jan 2026 11:14:33 +0530
Subject: [PATCH] Update auto_cherry_pick.yml

---
 .github/workflows/auto_cherry_pick.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/auto_cherry_pick.yml b/.github/workflows/auto_cherry_pick.yml
index 40870b6..d1641a5 100644
--- a/.github/workflows/auto_cherry_pick.yml
+++ b/.github/workflows/auto_cherry_pick.yml
@@ -16,6 +16,13 @@ on:
         description: "Specify a script to run after audit fix"
         required: false
         default: "yarn run all"
+      mode:
+        description: "Run mode: cherry-pick or verify"
+        required: false
+        default: "cherry-pick"
+
+  pull_request:
+    types: [labeled, opened, synchronize]
 
 permissions:
   contents: write
@@ -24,11 +31,13 @@ permissions:
   issues: write
 
 jobs:
-  audit-fix:
+  cherry-pick:
+    if: github.event_name == 'workflow_dispatch' || contains(fromJson(toJson(github.event.pull_request.labels)).*.name, 'review-required')
     uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@upstream-Changes-CherryPick
     with:
       original-owner: "tj-actions"
       repo-name: "changed-files"
       base_branch: ${{ inputs.base_branch }}
       package_manager: "yarn"
-      script: ${{ inputs.script || 'yarn run all' }}
\ No newline at end of file
+      script: ${{ inputs.script || 'yarn run all' }}
+      mode: ${{ github.event_name == 'pull_request' && 'verify' || inputs.mode }}