diff --git a/.github/workflows/gitlab.yml b/.github/workflows/gitlab.yml
index 3ee314caacb..964c47f2834 100644
--- a/.github/workflows/gitlab.yml
+++ b/.github/workflows/gitlab.yml
@@ -20,6 +20,9 @@ on:
   push:
     branches:
       - main
+  pull_request:
+    branches:
+      - main
 
 jobs:
   gitlab-integration-trusted:
@@ -27,17 +30,17 @@ jobs:
     environment: gitlab
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v1
+        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: Clone the code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
-           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha || github.sha }} # head SHA if PR, else fallback to push SHA
 
       - name: setup-go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v2.2.0
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           go-version: '1.19'
           check-latest: true
@@ -46,9 +49,18 @@ jobs:
         run: |
             go mod download
 
+      - name: Run GitLab tokenless E2E
+        uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3
+        if: github.event_name == 'pull_request'
+        with:
+          max_attempts: 3
+          retry_on: error
+          timeout_minutes: 30
+          command: make e2e-gitlab
+
       - name: Run GitLab PAT E2E  # skip if auth token is not available
-        uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd
-        if: ${{ github.actor != 'dependabot[bot]' }}
+        uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3
+        if: ${{ github.event_name == 'push' && github.actor != 'dependabot[bot]' }}
         env:
           GITLAB_AUTH_TOKEN: ${{ secrets.GITLAB_TOKEN }}
         with:
@@ -58,7 +70,7 @@ jobs:
           command: make e2e-gitlab-token
 
       - name: codecov
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 2.1.0
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 3.1.4
         with:
-         files: ./e2e-coverage.out
-         verbose: true
\ No newline at end of file
+         files: "*e2e-coverage.out"
+         verbose: true
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 32bb9998ddf..f2e88119a0b 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -60,20 +60,6 @@ jobs:
         run: |
             go mod download
 
-      - name: Run GitLab E2E  #using retry because the GitHub token is being throttled.
-        uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd
-        with:
-          max_attempts: 3
-          retry_on: error
-          timeout_minutes: 30
-          command: make e2e-gitlab
-
-      - name: codecov
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 2.1.0
-        with:
-         files: ./e2e-coverage.out
-         verbose: true
-
       - name: Run GITHUB_TOKEN E2E  #using retry because the GitHub token is being throttled.
         uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd
         env: