diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index b2640403b5..bd9375ceb9 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,13 +1,14 @@
 name: lint
 
 on:
-  pull_request:
-    paths-ignore:
-      - "**.md"
-      - "**.svg"
-      - ".gitignore"
-      - "LICENSE"
-      - "flake.lock"
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+permissions:
+  contents: read
 
 jobs:
   treefmt:
@@ -15,7 +16,15 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+
       - name: Install Nix
         uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            extra-substituters = https://nix-community.cachix.org
+            extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
+
       - name: Run treefmt check
-        run: nix build .#checks.x86_64-linux.treefmt --accept-flake-config
+        run: nix build .#checks.x86_64-linux.treefmt
diff --git a/.github/workflows/merge-queue.yml b/.github/workflows/merge-queue.yml
new file mode 100644
index 0000000000..ac7364a147
--- /dev/null
+++ b/.github/workflows/merge-queue.yml
@@ -0,0 +1,39 @@
+name: Merge Queue
+
+on:
+  merge_group:
+
+permissions: {}
+
+jobs:
+  lint:
+    uses: ./.github/workflows/lint.yml
+    with:
+      ref: ${{ github.event.merge_group.head_sha }}
+
+  # This job posts the "Required Status Checks" to satisfy our ruleset.
+  required-checks:
+    # It "needs" all the jobs that should block the Merge Queue.
+    # Modify this list to add or remove jobs from required status checks.
+    needs:
+      - lint
+
+    name: Required checks
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      statuses: write
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            const { serverUrl, repo, runId, payload } = context
+            await github.rest.repos.createCommitStatus({
+              ...repo,
+              sha: payload.merge_group.head_sha,
+              target_url: `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}`,
+              // WARNING:
+              // Do NOT change the context name or it will not match the ruleset.
+              // This would prevent all PRs from merging.
+              context: 'PR checks successful',
+              state: 'success',
+            })
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 0000000000..d703630f48
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,43 @@
+name: PR
+
+on:
+  pull_request_target:
+
+concurrency:
+  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  lint:
+    uses: ./.github/workflows/lint.yml
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}
+
+  # This job posts the "Required Status Checks" to satisfy our ruleset.
+  required-checks:
+    # It "needs" all the jobs that should block merging a PR.
+    # Modify this list to add or remove jobs from required status checks.
+    needs:
+      - lint
+
+    name: Required checks
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      statuses: write
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            const { serverUrl, repo, runId, payload } = context
+            await github.rest.repos.createCommitStatus({
+              ...repo,
+              sha: payload.pull_request.head.sha,
+              target_url: `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}`,
+              // WARNING:
+              // Do NOT change the context name or it will not match the ruleset.
+              // This would prevent all PRs from merging.
+              context: 'PR checks successful',
+              state: 'success',
+            })