diff --git a/.github/workflows/publish-js.yml b/.github/workflows/publish-js.yml
index 316196d6..24844659 100644
--- a/.github/workflows/publish-js.yml
+++ b/.github/workflows/publish-js.yml
@@ -18,6 +18,10 @@ permissions:
 
 jobs:
   prepare:
+    # Dev releases (workflow_dispatch) are only allowed from main
+    if: >-
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')
     runs-on:
       group: arc-public-large-amd64-runner
     outputs:
@@ -56,6 +60,18 @@ jobs:
         if: steps.config.outputs.should_publish == 'true'
         with:
           ref: ${{ steps.config.outputs.ref }}
+          fetch-depth: 0
+
+      - name: Validate commit exists on main
+        if: steps.config.outputs.should_publish == 'true' && github.event_name == 'workflow_dispatch'
+        env:
+          TARGET_REF: ${{ steps.config.outputs.ref }}
+        run: |
+          git fetch origin main
+          if ! git merge-base --is-ancestor "$TARGET_REF" origin/main; then
+            echo "::error::Commit $TARGET_REF is not on the main branch. Dev releases can only be published from merged code."
+            exit 1
+          fi
 
       - name: Generate version
         if: steps.config.outputs.should_publish == 'true'
diff --git a/.github/workflows/publish-kotlin.yml b/.github/workflows/publish-kotlin.yml
index f04237fb..fdbc4872 100644
--- a/.github/workflows/publish-kotlin.yml
+++ b/.github/workflows/publish-kotlin.yml
@@ -18,6 +18,10 @@ permissions:
 jobs:
   prepare:
     name: Prepare Release
+    # Dev releases (workflow_dispatch) are only allowed from main
+    if: >-
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -76,6 +80,18 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ steps.release-type.outputs.ref }}
+          fetch-depth: 0
+
+      - name: Validate commit exists on main
+        if: steps.release-type.outputs.should_publish == 'true' && github.event_name == 'workflow_dispatch'
+        env:
+          TARGET_REF: ${{ steps.release-type.outputs.ref }}
+        run: |
+          git fetch origin main
+          if ! git merge-base --is-ancestor "$TARGET_REF" origin/main; then
+            echo "::error::Commit $TARGET_REF is not on the main branch. Dev releases can only be published from merged code."
+            exit 1
+          fi
 
       - name: Generate version
         if: steps.release-type.outputs.should_publish == 'true'
diff --git a/.github/workflows/publish-react.yml b/.github/workflows/publish-react.yml
index 05b370fa..42794b76 100644
--- a/.github/workflows/publish-react.yml
+++ b/.github/workflows/publish-react.yml
@@ -18,6 +18,10 @@ permissions:
 
 jobs:
   prepare:
+    # Dev releases (workflow_dispatch) are only allowed from main
+    if: >-
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')
     runs-on:
       group: arc-public-large-amd64-runner
     outputs:
@@ -57,6 +61,18 @@ jobs:
         if: steps.config.outputs.should_publish == 'true'
         with:
           ref: ${{ steps.config.outputs.ref }}
+          fetch-depth: 0
+
+      - name: Validate commit exists on main
+        if: steps.config.outputs.should_publish == 'true' && github.event_name == 'workflow_dispatch'
+        env:
+          TARGET_REF: ${{ steps.config.outputs.ref }}
+        run: |
+          git fetch origin main
+          if ! git merge-base --is-ancestor "$TARGET_REF" origin/main; then
+            echo "::error::Commit $TARGET_REF is not on the main branch. Dev releases can only be published from merged code."
+            exit 1
+          fi
 
       - name: Generate versions
         if: steps.config.outputs.should_publish == 'true'
diff --git a/.github/workflows/publish-swift.yml b/.github/workflows/publish-swift.yml
index fcefab7c..6178bb8f 100644
--- a/.github/workflows/publish-swift.yml
+++ b/.github/workflows/publish-swift.yml
@@ -17,6 +17,10 @@ permissions:
 
 jobs:
   prepare:
+    # Dev releases (workflow_dispatch) are only allowed from main
+    if: >-
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -72,6 +76,18 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ steps.config.outputs.ref }}
+          fetch-depth: 0
+
+      - name: Validate commit exists on main
+        if: steps.config.outputs.should_publish == 'true' && github.event_name == 'workflow_dispatch'
+        env:
+          TARGET_REF: ${{ steps.config.outputs.ref }}
+        run: |
+          git fetch origin main
+          if ! git merge-base --is-ancestor "$TARGET_REF" origin/main; then
+            echo "::error::Commit $TARGET_REF is not on the main branch. Dev releases can only be published from merged code."
+            exit 1
+          fi
 
       - name: Get version
         if: steps.config.outputs.should_publish == 'true'