diff --git a/.github/workflows/_check.yml b/.github/workflows/_check.yml
new file mode 100644
index 0000000..146214e
--- /dev/null
+++ b/.github/workflows/_check.yml
@@ -0,0 +1,58 @@
+name: "Code Checks"
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+  id-token: write
+  security-events: write
+
+jobs:
+  code-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v6
+
+      - name: "Install dependencies"
+        uses: ./.github/actions/dependencies
+
+      - name: "🐹 Go"
+        working-directory: apps
+        run: |
+          set -e
+
+          for d in $(ls -1); do
+              cd $d
+              echo "$d:"
+              echo -e "  fmt:\033[0;31m"
+              test -z "$(go fmt ./... | tee /dev/stderr)"
+              echo -e "\033[0;32m    pass\033[0m"
+              echo -e "  vet:\033[0;31m"
+              go vet ./...
+              echo -e "\033[0;32m    pass\033[0m"
+              cd ..
+          done
+
+      - name: "☁️ Terraform"
+        working-directory: infra
+        run: |
+          echo "Terraform init"
+          terraform init -backend=false
+
+          echo "Terraform validate"
+          terraform validate
+
+      - name: "🚥 Checkov"
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          config_file: .checkov.yaml
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v4
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/infra.yml b/.github/workflows/infra.yml
index 6b99e65..04e8736 100644
--- a/.github/workflows/infra.yml
+++ b/.github/workflows/infra.yml
@@ -5,6 +5,7 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
 
 permissions:
   contents: read
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index c9a84a8..3095166 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches:
       - main
+  push:
+    branches:
+      - main
 
 permissions:
   contents: read
@@ -12,54 +15,10 @@ permissions:
 
 jobs:
   validate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Checkout"
-        uses: actions/checkout@v6
-
-      - name: "Install dependencies"
-        uses: ./.github/actions/dependencies
-
-      - name: "🐹 Go"
-        working-directory: apps
-        run: |
-          set -e
-
-          for d in $(ls -1); do
-            cd $d
-            echo "$d:"
-            echo -e "  fmt:\033[0;31m"
-              test -z "$(go fmt ./... | tee /dev/stderr)"
-            echo -e "\033[0;32m    pass\033[0m"
-            echo -e "  vet:\033[0;31m"
-              go vet ./...
-            echo -e "\033[0;32m    pass\033[0m"
-            cd ..
-          done
-
-      - name: "☁️ Terraform"
-        working-directory: infra
-        run: |
-          echo "Terraform init"
-          terraform init -backend=false
-
-          echo "Terraform validate"
-          terraform validate
-
-      - name: "🚥 Checkov"
-        uses: bridgecrewio/checkov-action@v12
-        with:
-          config_file: .checkov.yaml
-          output_format: cli,sarif
-          output_file_path: console,results.sarif
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v4
-        if: success() || failure()
-        with:
-          sarif_file: results.sarif
+    uses: ./.github/workflows/_check.yml
 
   terraform-plan:
+    if: github.event_name == 'pull_request'
     concurrency: "sandbox"
     needs: [validate]
     uses: ./.github/workflows/_tf_plan.yml