diff --git a/.github/workflows/giteabot-backport.yml b/.github/workflows/giteabot-backport.yml
new file mode 100644
index 00000000000..be4b3d42a1c
--- /dev/null
+++ b/.github/workflows/giteabot-backport.yml
@@ -0,0 +1,26 @@
+name: giteabot backport
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  giteabot:
+    if: github.repository == 'go-gitea/gitea'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: go-gitea/giteabot@40d7c74f93d479578978c4ef47a655a467b8dab1 # Add config options (#5)
+        with:
+          github_token: ${{ secrets.GITEABOT_TOKEN }}
+          gitea_fork: giteabot/gitea
+          checks: backport
diff --git a/.github/workflows/giteabot.yml b/.github/workflows/giteabot.yml
index dad7a19fdb4..b9e3cc1651b 100644
--- a/.github/workflows/giteabot.yml
+++ b/.github/workflows/giteabot.yml
@@ -1,9 +1,6 @@
 name: giteabot
 
 on:
-  push:
-    branches:
-      - main
   # pull_request_target gives this workflow access to GITEABOT_TOKEN on PRs from
   # forks, which the bot needs to write labels, statuses and comments. Safe here
   # because the job only runs a pinned action and never checks out PR HEAD.
@@ -24,9 +21,17 @@ on:
   schedule:
     - cron: "15 3 * * *"
   workflow_dispatch:
+    inputs:
+      checks:
+        description: Comma-separated list of non-backport checks to run
+        required: false
+        default: labels,merge_queue,lock,feedback,last_call,milestones,lgtm,translation_comment,pr_actions
 
 permissions:
   contents: read
+  issues: write
+  pull-requests: write
+  statuses: write
 
 concurrency:
   group: ${{ format('{0}-{1}', github.workflow, (github.event_name == 'pull_request_target' || github.event_name == 'pull_request_review') && format('pr-{0}', github.event.pull_request.number) || 'maintenance') }}
@@ -38,7 +43,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: go-gitea/giteabot@8996d0b0e6c4ab066e3adcaf2c49b5d4cd15d7af # v1.0.1
+      # pull_request_review runs without repository secrets on fork PRs, so fall
+      # back to the workflow token for the non-backport checks handled here.
+      - uses: go-gitea/giteabot@40d7c74f93d479578978c4ef47a655a467b8dab1 # Add config options (#5)
         with:
-          github_token: ${{ secrets.GITEABOT_TOKEN }}
-          gitea_fork: giteabot/gitea
+          github_token: ${{ secrets.GITEABOT_TOKEN || github.token }}
+          checks: ${{ github.event.inputs.checks || 'labels,merge_queue,lock,feedback,last_call,milestones,lgtm,translation_comment,pr_actions' }}