From f5ffbb9c4fc0e599b3a52e0ad8d3dda37ebac0ce Mon Sep 17 00:00:00 2001
From: Alex Verkhovsky <alexey.verkhovsky@gmail.com>
Date: Mon, 9 Mar 2026 03:40:04 -0600
Subject: [PATCH] fix(ci): guard publish-latest against non-main dispatch

Reject workflow_dispatch runs from non-main refs to prevent
publishing unintended code or fast-forwarding main unexpectedly.
---
 .github/workflows/publish-latest.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish-latest.yaml b/.github/workflows/publish-latest.yaml
index a70dc5738..6d1c7ed52 100644
--- a/.github/workflows/publish-latest.yaml
+++ b/.github/workflows/publish-latest.yaml
@@ -22,6 +22,7 @@ permissions:
 
 jobs:
   publish:
+    if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout