diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cb3a5723961..576405791ec 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,8 @@ name: CI
 
 on:
   push:
+    tags:
+      - v*
     branches-ignore:
       - gh-pages
   pull_request:
diff --git a/.github/workflows/release-rc.yml b/.github/workflows/release-rc.yml
index e479211ff3c..2aca8fb1f67 100644
--- a/.github/workflows/release-rc.yml
+++ b/.github/workflows/release-rc.yml
@@ -1,18 +1,45 @@
 name: Release Armada components - RC
 
 on:
-  push:
+  workflow_run:
+    types: [completed]
+    workflows: [CI]
     branches:
-      - main
       - master
 
 permissions:
   contents: write
 
 jobs:
+  validate:
+    if: github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success' && github.repository_owner == 'armadaproject'
+    name: "Validate revision"
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v3"
+        with:
+          fetch-depth: 0
+
+      # The given ref should belong to the master branch.
+      # If it's master, it shouldn't be more than 2 commits away (in case another push happened in the meantime).
+      # Anything else is invalid.
+      - name: Validate ref
+        run: |
+          ref='${{ github.event.workflow_run.head_branch }}'
+          sha='${{ github.event.workflow_run.head_sha }}'
+
+          [ "$ref" == "master" ] &&
+          [ $(git branch --contains=$sha master | wc -l) -eq 1 ] &&
+          [ $(git rev-list --count $sha..master) -le 2 ]
+          if [ $? -ne 0 ]; then
+            echo "::error ::Invalid ref $ref $sha: must be a merge to master branch and not more than 2 commits away"
+            exit 1
+          fi
   release:
-    if: github.repository_owner == 'armadaproject'
     name: Release
+    needs: validate
     runs-on: "ubuntu-22.04"
     environment: armada-dockerhub
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 188bd802687..798ecc0e448 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,17 +1,45 @@
 name: Release Armada components
 
 on:
-  push:
-    tags:
-      - 'v*'
+  workflow_run:
+    types: [completed]
+    workflows: [CI]
+    branches:
+      - v*
 
 permissions:
   contents: write
 
 jobs:
+  validate:
+    if: github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success' && github.repository_owner == 'armadaproject'
+    name: "Validate revision"
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v3"
+        with:
+          fetch-depth: 0
+
+      # The given ref should belong to the master branch.
+      # If it starts with 'v', it should be a tag, belong to the master branch and match the semver regex.
+      # Anything else is invalid.
+      - name: Validate ref
+        run: |
+          ref='${{ github.event.workflow_run.head_branch }}'
+          sha='${{ github.event.workflow_run.head_sha }}'
+
+          [[ $ref =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] &&
+          [ $(git rev-parse refs/tags/$ref) == $sha ] &&
+          [ $(git branch --contains=$sha master | wc -l) -eq 1 ]
+          if [ $? -ne 0 ]; then
+            echo "::error ::Invalid ref $ref $sha: must be a tag, belong to the master branch and match the semver regex"
+            exit 1
+          fi
   release:
-    if: github.repository_owner == 'armadaproject'
     name: "Release"
+    needs: validate
     runs-on: ubuntu-22.04
     environment: armada-dockerhub