diff --git a/.github/workflows/auto-merge-dependabot.yaml b/.github/workflows/auto-merge-dependabot.yaml
index ef2e273..08f1b1e 100644
--- a/.github/workflows/auto-merge-dependabot.yaml
+++ b/.github/workflows/auto-merge-dependabot.yaml
@@ -3,7 +3,10 @@
 # Also see https://github.com/dependabot/fetch-metadata
 
 name: Dependabot auto-merge
-on: pull_request
+on:
+  pull_request:
+    branches: main
+  workflow_dispatch:
 
 permissions:
   pull-requests: write
@@ -13,6 +16,9 @@ jobs:
   dependabot:
     runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
+    env:
+      PR_URL: ${{github.event.pull_request.html_url}}
+      GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
     steps:
       - name: Dependabot metadata
         id: metadata
@@ -25,6 +31,7 @@ jobs:
           ! contains(steps.metadata.outputs.dependency-names, 'tlslite-ng') &&
           steps.metadata.outputs.update-type != 'version-update:semver-major'
         run: gh pr merge --auto --rebase "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+      - name: "Warn that we won't auto-merge major version updates"
+        if: steps.metadata.outputs.update-type == 'version-update:semver-major'
+        run: gh pr comment "$PR_URL" -b "Looks like a major version upgrade! Skipping auto-merge."