diff --git a/.github/workflows/infra-apply.yml b/.github/workflows/infra-apply.yml
index 6be1e86..cb963ac 100644
--- a/.github/workflows/infra-apply.yml
+++ b/.github/workflows/infra-apply.yml
@@ -1,6 +1,16 @@
 name: Create and Update Infrastructure
 
 on:
+  pull_request:
+    paths:
+      - infra
+      - .github/workflows/infra-apply.yml
+  push:
+    branches:
+      - main
+    paths:
+      - infra
+      - .github/workflows/infra-apply.yml
   workflow_dispatch:
     inputs:
       tf-workspace:
@@ -27,7 +37,7 @@ jobs:
         run: |
           tofu init
           tofu validate
-          tofu workspace select ${{ github.event.inputs.tf-workspace }}
+          tofu workspace select ${{ github.event.inputs.tf-workspace || 'default' }}
           tofu plan -out=tfplan
       - uses: cachix/install-nix-action@v31
       - name: Encrypt OpenTofu plan file
@@ -47,7 +57,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: tofu-plan
     environment: infra-${{ github.event.inputs.tf-workspace }}
-    if: github.ref == 'refs/heads/main' # Only run apply on main branch.
+    # Only run apply on main branch and when it's triggered by workflow_dispatch.
+    if: github.ref == 'refs/heads/main' && github.event_name == 'workflow_dispatch'
     defaults:
       run:
         working-directory: ./infra # Set working directory for apply job.