diff --git a/.github/workflows/head-update.yaml b/.github/workflows/non-release.yaml
similarity index 90%
rename from .github/workflows/head-update.yaml
rename to .github/workflows/non-release.yaml
index 8dd34893a..7f1721d15 100644
--- a/.github/workflows/head-update.yaml
+++ b/.github/workflows/non-release.yaml
@@ -1,6 +1,6 @@
 name: Build
 on:
-  push:
+  merge_group:
   pull_request:
     types:
       - opened
@@ -10,7 +10,11 @@ on:
   pull_request_target:
     types:
       - labeled
-  merge_group:
+  push:
+    branches:
+    - 'master'
+    - 'release-*'
+  workflow_dispatch:
 
 jobs:
   build:
@@ -33,4 +37,4 @@ jobs:
     secrets: inherit
     permissions:
       id-token: write
-      contents: write
\ No newline at end of file
+      contents: write
diff --git a/.github/workflows/pullrequest-trust-helper.yaml b/.github/workflows/pullrequest-trust-helper.yaml
new file mode 100644
index 000000000..4e6f39b70
--- /dev/null
+++ b/.github/workflows/pullrequest-trust-helper.yaml
@@ -0,0 +1,16 @@
+on:
+  pull_request_target:
+    types:
+    - opened
+    - edited
+    - reopened
+    - synchronize
+
+jobs:
+  pullrequest-trusted-helper:
+    permissions:
+      pull-requests: write
+    secrets: inherit # access to `GitHub-Actions`-App is needed to read teams
+    uses: gardener/cc-utils/.github/workflows/pullrequest-trust-helper.yaml@master
+    with:
+      trusted-teams: 'core,gardener-extension-provider-aws-maintainers'