diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 418d4cf8..3b228bcf 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -9,6 +9,16 @@ on:
 jobs:
   backport:
     runs-on: ubuntu-latest
+    # Only react to merged PRs for security reasons.
+    # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+    if: >
+      github.event.pull_request.merged
+      && (
+        github.event.action == 'closed'
+        || (
+          github.event.action == 'labeled'
+          && contains(github.event.label.name, 'backport')
+        )
     permissions:
       contents: write
       pull-requests: write
@@ -26,6 +36,6 @@ jobs:
         uses: VachaShah/backport@v2.2.0
         with:
           github_token: ${{ steps.github_app_token.outputs.token }}
-          branch_name: backport/backport-${{ github.event.number }}
+          head_template: backport/backport-<%= number %>-to-<%= base %>
           labels_template: "<%= JSON.stringify([...labels, 'autocut']) %>"
           failure_labels: "failed backport"