diff --git a/.github/workflows/01.deploy_to_production.yml b/.github/workflows/01.deploy_to_production.yml
index 193d824..8de89be 100644
--- a/.github/workflows/01.deploy_to_production.yml
+++ b/.github/workflows/01.deploy_to_production.yml
@@ -6,19 +6,24 @@ permissions:
   packages: write
 
 on:
-  workflow_dispatch:
   push:
     branches:
       - main
   workflow_run:
     workflows: ["CI"]
+    branches: [main]  # Only run on CI completion for main branch
     types:
       - completed
 
 jobs:
   deploy-production:
     name: Deploy to production
-    if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch'
+    # Only deploy if either:
+    # 1. Direct push to main
+    # 2. CI workflow completed successfully on main branch
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
+      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main')
     concurrency:
       group: production_environment
       cancel-in-progress: true
@@ -28,6 +33,8 @@ jobs:
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: main  # Explicitly checkout main branch
 
       - uses: ./.github/workflows/setup
         name: Setup