diff --git a/.github/workflows/local-testnet.yml b/.github/workflows/local-testnet.yml
index 1ca1006c1f2..0f7bc79ebaa 100644
--- a/.github/workflows/local-testnet.yml
+++ b/.github/workflows/local-testnet.yml
@@ -70,3 +70,11 @@ jobs:
       - name: Stop local testnet with blinded block production
         run: ./stop_local_testnet.sh
         working-directory: scripts/local_testnet
+  local-testnet-success:
+    name: local-testnet-success
+    runs-on: ubuntu-latest
+    needs: ["run-local-testnet"]
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check that success job is dependent on all others
+      run: ./scripts/ci/check-success-job.sh ./.github/workflows/local-testnet.yml local-testnet-success
diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml
index 27c91f22620..152f3515fdd 100644
--- a/.github/workflows/test-suite.yml
+++ b/.github/workflows/test-suite.yml
@@ -24,7 +24,7 @@ jobs:
     if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
     steps:
         - name: Check that the pull request is not targeting the stable branch
-          run: test ${{ github.base_ref }} != "stable"
+          run: test "${{ github.base_ref }}" != "stable"
   extract-msrv:
     runs-on: ubuntu-latest
     steps:
@@ -400,3 +400,40 @@ jobs:
       run: rustup override set beta
     - name: Run make
       run: make
+  # This job succeeds ONLY IF all others succeed. It is used by the merge queue to determine whether
+  # a PR is safe to merge. New jobs should be added here.
+  test-suite-success:
+    name: test-suite-success
+    runs-on: ubuntu-latest
+    needs: [
+        'target-branch-check',
+        'extract-msrv',
+        'cargo-fmt',
+        'release-tests-ubuntu',
+        'release-tests-windows',
+        'beacon-chain-tests',
+        'op-pool-tests',
+        'slasher-tests',
+        'debug-tests-ubuntu',
+        'state-transition-vectors-ubuntu',
+        'ef-tests-ubuntu',
+        'dockerfile-ubuntu',
+        'eth1-simulator-ubuntu',
+        'merge-transition-ubuntu',
+        'no-eth1-simulator-ubuntu',
+        'syncing-simulator-ubuntu',
+        'doppelganger-protection-test',
+        'execution-engine-integration-ubuntu',
+        'check-benchmarks',
+        'clippy',
+        'check-msrv',
+        'arbitrary-check',
+        'cargo-audit',
+        'cargo-vendor',
+        'cargo-udeps',
+        'compile-with-beta-compiler'
+    ]
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check that success job is dependent on all others
+      run: ./scripts/ci/check-success-job.sh ./.github/workflows/test-suite.yml test-suite-success
diff --git a/scripts/ci/check-success-job.sh b/scripts/ci/check-success-job.sh
new file mode 100755
index 00000000000..dfa5c03257c
--- /dev/null
+++ b/scripts/ci/check-success-job.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+# Check that $SUCCESS_JOB depends on all other jobs in the given $YAML
+
+set -euf -o pipefail
+
+YAML=$1
+SUCCESS_JOB=$2
+
+yq '... comments="" | .jobs | map(. | key) | .[]' < "$YAML" | grep -v "$SUCCESS_JOB" | sort > all_jobs.txt
+yq "... comments=\"\" | .jobs.$SUCCESS_JOB.needs[]" < "$YAML" | grep -v "$SUCCESS_JOB" | sort > dep_jobs.txt
+diff all_jobs.txt dep_jobs.txt || (echo "COMPLETENESS CHECK FAILED" && exit 1)
+rm all_jobs.txt dep_jobs.txt
+echo "COMPLETENESS CHECK PASSED"