diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
index 45f22d5..01ec423 100644
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -13,9 +13,6 @@ on:
   pull_request:
     branches:
       - main
-  push:
-    branches:
-      - main
   workflow_call:
 
 permissions:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eaebfbe..c508bd3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,9 +1,6 @@
 name: CI
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
     branches:
       - main
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 6feb3c1..57b0fc2 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -4,9 +4,6 @@ on:
   pull_request:
     branches:
       - main
-  push:
-    branches:
-      - main
   schedule:
     - cron: '31 7 * * 3'
   workflow_call:
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index de52895..c9a1d09 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -9,9 +9,6 @@ on:
   pull_request:
     branches:
       - main
-  push:
-    branches:
-      - main
   workflow_call:
 
 permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d9db9be..878128a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,25 +6,34 @@ on:
       - 'v*.*.*'
 
 permissions:
-  actions: read
-  checks: write
   contents: read
-  packages: read
-  security-events: write
-  statuses: write
 
 jobs:
-  check-dist:
-    uses: ./.github/workflows/check-dist.yml
-  codeql-analysis:
-    uses: ./.github/workflows/codeql-analysis.yml
-  lint:
-    uses: ./.github/workflows/linter.yml
-  ci:
-    uses: ./.github/workflows/ci.yml
+  check-main:
+    name: Verify tag is on main
+    runs-on: ubuntu-latest
+    outputs:
+      on_main: ${{ steps.check.outputs.on_main }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Check ancestry
+        id: check
+        run: |
+          git fetch origin main
+          if git merge-base --is-ancestor "$GITHUB_SHA" origin/main; then
+            echo "on_main=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "on_main=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::Tag is not on main — skipping release."
+          fi
 
   release:
-    needs: [check-dist, codeql-analysis, lint, ci]
+    needs: check-main
+    if: needs.check-main.outputs.on_main == 'true'
     runs-on: ubuntu-latest
     permissions:
       contents: write