diff --git a/.github/workflows/live-protection.yml b/.github/workflows/live-protection.yml
new file mode 100644
index 00000000000..3f097ac42e5
--- /dev/null
+++ b/.github/workflows/live-protection.yml
@@ -0,0 +1,27 @@
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        env:
+          SHOULD_COMMENT: ${{ github.base_ref == 'refs/heads/live' && !(github.head_ref == 'refs/heads/main') }}
+        with:
+          script: |
+            if (process.env.SHOULD_COMMENT == 'true') {
+              github.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: 'It looks like this pull request may have been opened on the `live` branch by mistake. In general, PRs should target the `main` branch.'
+              })
+            }