diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml
index 0c686aad..7ece9022 100644
--- a/.github/workflows/circleci.yml
+++ b/.github/workflows/circleci.yml
@@ -8,8 +8,14 @@ on:
     branches:
     - main
 jobs:
+  approve: # First step
+    runs-on: ubuntu-latest
+    steps:
+    - name: Approve
+      run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
   trigger-circleci:
     runs-on: ubuntu-latest
+    needs: [approve] # Require the first step to finish
     steps:
       - name: secretflow-yacl-ci
         id: secretflow-yacl-ci