diff --git a/.github/workflows/sorbet.yml b/.github/workflows/sorbet.yml
index d5a42c3792..f7ba099640 100644
--- a/.github/workflows/sorbet.yml
+++ b/.github/workflows/sorbet.yml
@@ -1,6 +1,11 @@
 name: Update Sorbet files
 
 on:
+  pull_request:
+    paths:
+      - Library/Homebrew/dev-cmd/typecheck.rb
+      - Library/Homebrew/sorbet/**
+      - "!Library/Homebrew/sorbet/rbi/**"
   push:
     paths:
       - .github/workflows/sorbet.yml
@@ -23,20 +28,19 @@ jobs:
         uses: Homebrew/actions/setup-homebrew@master
 
       - name: Configure Git user
+        if: github.event_name != 'pull_request'
         uses: Homebrew/actions/git-user-config@master
         with:
           username: BrewTestBot
 
       - name: Set up commit signing
+        if: github.event_name != 'pull_request'
         uses: Homebrew/actions/setup-commit-signing@master
         with:
           signing_key: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY }}
 
       - name: Update RBI files
         id: update
-        env:
-          GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
-          HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
         working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}
         run: |
           git fetch origin
@@ -53,6 +57,15 @@ jobs:
           fi
 
           brew typecheck --update --suggest-typed
+
+      - name: Commit changes
+        id: commit
+        if: github.event_name != 'pull_request'
+        env:
+          GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
+          HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
+        working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}
+        run: |
           if ! git diff --stat --exit-code "Library/Homebrew/sorbet"
           then
             git add "Library/Homebrew/sorbet"
@@ -75,7 +88,7 @@ jobs:
           fi
 
       - name: Push commits
-        if: steps.update.outputs.committed == 'true'
+        if: steps.commit.outputs.committed == 'true'
         uses: Homebrew/actions/git-try-push@master
         with:
           token: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
@@ -85,7 +98,7 @@ jobs:
           origin_branch: "master"
 
       - name: Open a pull request
-        if: steps.update.outputs.pull_request == 'true'
+        if: steps.commit.outputs.pull_request == 'true'
         run: hub pull-request --no-edit
         env:
           GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
diff --git a/.github/workflows/vendor-gems.yml b/.github/workflows/vendor-gems.yml
index 1d54eb96f3..1607b0254d 100644
--- a/.github/workflows/vendor-gems.yml
+++ b/.github/workflows/vendor-gems.yml
@@ -1,6 +1,15 @@
 name: Vendor Gems
 
 on:
+  pull_request:
+    paths:
+      - Library/Homebrew/dev-cmd/vendor-gems.rb
+      - Library/Homebrew/Gemfile*
+  push:
+    paths:
+      - .github/workflows/vendor-gems.yml
+    branches-ignore:
+      - master
   pull_request_target:
   workflow_dispatch:
     inputs:
@@ -15,8 +24,10 @@ permissions:
 jobs:
   vendor-gems:
     if: >
-      startsWith(github.repository, 'Homebrew/') && (
-        github.event_name == 'workflow_dispatch' || (
+      github.repository_owner == 'Homebrew' && (
+        github.event_name == 'workflow_dispatch' ||
+        github.event_name == 'pull_request' ||
+        github.event_name == 'push' || (
           github.event.pull_request.user.login == 'dependabot[bot]' &&
           contains(github.event.pull_request.title, '/Library/Homebrew')
         )
@@ -28,17 +39,20 @@ jobs:
         uses: Homebrew/actions/setup-homebrew@master
 
       - name: Configure Git user
+        if: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
         uses: Homebrew/actions/git-user-config@master
         with:
           username: BrewTestBot
 
       - name: Set up commit signing
+        if: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
         uses: Homebrew/actions/setup-commit-signing@master
         with:
           signing_key: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY }}
 
       - name: Check out pull request
         id: checkout
+        if: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
         run: |
           gh pr checkout '${{ github.event.pull_request.number || github.event.inputs.pull_request }}'
 
@@ -54,15 +68,24 @@ jobs:
       - name: Vendor Gems
         env:
           HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
-        run: brew vendor-gems
+        run: |
+          if [[ "${GITHUB_EVENT_NAME}" == "pull_request_target" || "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]
+          then
+            brew vendor-gems
+          else
+            brew vendor-gems --no-commit
+          fi
 
       - name: Update RBI files
+        run: brew typecheck --update
+
+      - name: Commit RBI changes
+        if: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
         env:
           GEM_NAME: ${{ steps.checkout.outputs.gem_name }}
           HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
         working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}
         run: |
-          brew typecheck --update
           if ! git diff --stat --exit-code "Library/Homebrew/sorbet"
           then
             git add "Library/Homebrew/sorbet"
@@ -71,6 +94,7 @@ jobs:
           fi
 
       - name: Push to pull request
+        if: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
         uses: Homebrew/actions/git-try-push@master
         with:
           token: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}