diff --git a/.github/workflows/marketplace-publish.yml b/.github/workflows/marketplace-publish.yml
index 645409da4b..d0559d0bcc 100644
--- a/.github/workflows/marketplace-publish.yml
+++ b/.github/workflows/marketplace-publish.yml
@@ -9,6 +9,7 @@ on:
 jobs:
   publish-stable:
     runs-on: ubuntu-latest
+    environment: marketplace-production
     permissions:
       contents: write
 
@@ -29,6 +30,13 @@ jobs:
           test "$package_name" = "zoo-code"
           test "$publisher" = "ZooCodeOrganization"
 
+      - name: Validate publish ref
+        run: |
+          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ] && [ "$GITHUB_REF_NAME" != "main" ]; then
+            echo "Manual stable publishes must run from main, not ${GITHUB_REF_NAME}."
+            exit 1
+          fi
+
       - name: Validate release tag
         if: github.event_name == 'push'
         run: |
diff --git a/.github/workflows/nightly-publish.yml b/.github/workflows/nightly-publish.yml
index 7c676b1614..2487a694f9 100644
--- a/.github/workflows/nightly-publish.yml
+++ b/.github/workflows/nightly-publish.yml
@@ -15,6 +15,7 @@ concurrency:
 jobs:
   publish-prerelease:
     runs-on: ubuntu-latest
+    environment: marketplace-prerelease
 
     steps:
       - name: Checkout code
@@ -33,6 +34,13 @@ jobs:
           test "$package_name" = "zoo-code"
           test "$publisher" = "ZooCodeOrganization"
 
+      - name: Validate publish ref
+        run: |
+          if [ "$GITHUB_REF_NAME" != "main" ]; then
+            echo "Pre-release publishes must run from main, not ${GITHUB_REF_NAME}."
+            exit 1
+          fi
+
       - name: Set pre-release version
         id: version
         env: