diff --git a/.github/workflows/build_and_test_develop_merge.yml b/.github/workflows/build_and_test_develop_merge.yml
new file mode 100644
index 00000000..0dd43394
--- /dev/null
+++ b/.github/workflows/build_and_test_develop_merge.yml
@@ -0,0 +1,99 @@
+name: CI - Develop
+
+on:
+  push:
+    branches:
+      - develop
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+concurrency:
+  group: ci-develop-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  GOLANG_VERSION: 1.26.3
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          cache: true
+
+      - name: Test (retry)
+        shell: bash
+        run: |
+          set -euo pipefail
+          retry() {
+            local attempts=$1
+            shift
+            local n=1
+            until "$@"; do
+              if [ "$n" -ge "$attempts" ]; then
+                echo "Command failed after $attempts attempts: $*"
+                return 1
+              fi
+              n=$((n + 1))
+              sleep $((5 * n))
+            done
+          }
+          retry 3 go test ./...
+
+      - name: GoReleaser snapshot build
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+        with:
+          distribution: goreleaser
+          version: latest
+          args: build --snapshot --clean --single-target
+
+  publish-ghcr:
+    name: Publish GHCR images with GoReleaser
+    needs: validate
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          cache: true
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Login to GHCR
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+
+      - name: Release snapshot to GHCR with GoReleaser
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --snapshot --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOCKER_HUB_ORG: ghcr.io/${{ github.repository_owner }}
diff --git a/.github/workflows/build_and_test_pr.yml b/.github/workflows/build_and_test_pr.yml
index a3c50c18..f5db0fb9 100644
--- a/.github/workflows/build_and_test_pr.yml
+++ b/.github/workflows/build_and_test_pr.yml
@@ -2,8 +2,7 @@ name: CI - Pull Requests
 
 on:
   pull_request:
-    branches:
-      - main
+    branches: [main, develop]
 
 permissions:
   contents: read
diff --git a/.github/workflows/frontend-build.yml b/.github/workflows/frontend-build.yml
index aadad1a9..54025ca2 100644
--- a/.github/workflows/frontend-build.yml
+++ b/.github/workflows/frontend-build.yml
@@ -1,9 +1,9 @@
 name: frontend-build
 on:
   push:
-    branches: [main]
+    branches: [main, develop]
   pull_request:
-    branches: [main]
+    branches: [main, develop]
 permissions:
   contents: read
 jobs:
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 3670e418..cd527202 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -2,7 +2,7 @@ name: Go linting on PRs pushed to osctrl
 
 on:
   pull_request:
-    branches: [main, master, develop]
+    branches: [main, develop]
     paths:
       - "**/*.go"
       - "go.mod"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3a78d862..d5d9a3af 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,6 +27,19 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Ensure release tag is on main
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          git fetch --no-tags origin main:refs/remotes/origin/main
+          tag_commit="$(git rev-list -n 1 "refs/tags/${GITHUB_REF_NAME}")"
+
+          if ! git merge-base --is-ancestor "${tag_commit}" origin/main; then
+            echo "::error::Release tags must point to commits already merged to main"
+            exit 1
+          fi
+
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with: