diff --git a/.github/workflows/build_prodrc_pr.yaml b/.github/workflows/build_prodrc_pr.yaml
index 58a911fa..2e5034e7 100644
--- a/.github/workflows/build_prodrc_pr.yaml
+++ b/.github/workflows/build_prodrc_pr.yaml
@@ -13,13 +13,16 @@ jobs:
   docker_build:
     runs-on: ubuntu-latest
     steps:
+    - name: Verify merge is develop -> main
+      if: github.head_ref != 'develop'
+      run: echo "Must merge from develop -> main/master"; exit 1
     - name: Check out GitHub Repo
-      if: github.event.pull_request.draft == false
+      if: github.event.pull_request.draft == false && github.head_ref == 'develop'
       with:
         ref: "${{ github.event.pull_request.head.sha }}"
       uses: actions/checkout@v2
     - name: Build and Push to Packages
-      if: github.event.pull_request.draft == false
+      if: github.event.pull_request.draft == false && github.head_ref == 'develop'
       env:
         PR: "${{ github.event.pull_request.number }}"
         SHA: "${{ github.event.pull_request.head.sha }}"
diff --git a/.github/workflows/prod_release.yaml b/.github/workflows/prod_release.yaml
new file mode 100644
index 00000000..ffa14533
--- /dev/null
+++ b/.github/workflows/prod_release.yaml
@@ -0,0 +1,38 @@
+---
+name: Publish Release Image
+'on':
+  release:
+    branches:
+    - main
+    - master
+    types:
+    - published
+jobs:
+  docker_build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check Tag
+      id: check-tag
+      run: |-
+        if [[ ${{ github.ref_name }} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo ::set-output name=match::true
+        fi
+    - name: Report SemVer Check
+      if: steps.check-tag.outputs.match != 'true'
+      run: echo "Release version must follow semantic naming (e.g. 1.0.2)"; exit 1
+    - name: Check Source Branch
+      if: github.event.release.target_commitish != 'master' && github.event.release.target_commitish != 'main'
+      run: echo "Releases must be built from master/main branch"; exit 1
+    - name: Check out GitHub Repo
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
+      uses: actions/checkout@v2
+    - name: Build and Push to Packages
+      env:
+        ISH: "${{ github.event.release.target_commitish }}"
+        PR: "${{ github.event.pull_request.number }}"
+        SHA: "${{ github.event.pull_request.head.sha }}"
+        VER: "${{ github.event.release.tag_name }}"
+        DOCKER_ACTOR: "${{ secrets.GHCR_USERNAME }}"
+        DOCKER_TOKEN: "${{ secrets.GHCR_TOKEN }}"
+      run: "./.github/workflows/scripts/prod_release.sh\n"
diff --git a/.github/workflows/scripts/build_prodrc_pr.sh b/.github/workflows/scripts/build_prodrc_pr.sh
index d888fc9d..4c7bdf27 100755
--- a/.github/workflows/scripts/build_prodrc_pr.sh
+++ b/.github/workflows/scripts/build_prodrc_pr.sh
@@ -6,6 +6,7 @@ export DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
 export BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
 export COMMIT=$(echo "$SHA" | cut -c -7)
 
+echo "Branch is:" ${GITHUB_HEAD_REF}
 docker login -u "$DOCKER_ACTOR" -p "$DOCKER_TOKEN" ghcr.io
 docker build --build-arg BUILD_DATE="$DATE" \
              --build-arg COMMIT="$COMMIT" \
diff --git a/.github/workflows/scripts/build_test_pr.sh b/.github/workflows/scripts/build_test_pr.sh
index 4fee0681..546b1b42 100755
--- a/.github/workflows/scripts/build_test_pr.sh
+++ b/.github/workflows/scripts/build_test_pr.sh
@@ -14,4 +14,4 @@ docker build --build-arg BUILD_DATE="$DATE" \
              --label us.kbase.vcs-pull-req="$PR" \
              -t ghcr.io/"$MY_ORG"/"$MY_APP":"pr-""$PR" .
 docker push ghcr.io/"$MY_ORG"/"$MY_APP":"pr-""$PR"
-	
+	
\ No newline at end of file
diff --git a/.github/workflows/scripts/prod_release.sh b/.github/workflows/scripts/prod_release.sh
new file mode 100755
index 00000000..46d008c6
--- /dev/null
+++ b/.github/workflows/scripts/prod_release.sh
@@ -0,0 +1,24 @@
+#! /usr/bin/env bash
+
+export MY_ORG=$(echo "${GITHUB_REPOSITORY}" | awk -F / '{print $1}')
+export MY_APP=$(echo "${GITHUB_REPOSITORY}" | awk -F / '{print $2}')
+export DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+export BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+export COMMIT=$(echo "$SHA" | cut -c -7)
+
+echo "ISH is:" $ISH
+echo "GITHUB_REF is:" $GITHUB_REF
+echo "HEAD_REF is:" $GITHUB_HEAD_REF
+echo "BASE_REF is:" $GITHUB_BASE_REF
+echo "Release is:" $GITHUB_REF_NAME
+echo $DOCKER_TOKEN | docker login ghcr.io -u $DOCKER_ACTOR --password-stdin
+docker build --build-arg BUILD_DATE="$DATE" \
+             --build-arg COMMIT="$COMMIT" \
+             --build-arg BRANCH="$GITHUB_HEAD_REF" \
+             --build-arg PULL_REQUEST="$PR" \
+             --build-arg VERSION="$VER"  \
+             --label us.kbase.vcs-pull-req="$PR" \
+             -t ghcr.io/"$MY_ORG"/"$MY_APP":"$VER" \
+             -t ghcr.io/"$MY_ORG"/"$MY_APP":"latest" .
+docker push ghcr.io/"$MY_ORG"/"$MY_APP":"$VER"
+docker push ghcr.io/"$MY_ORG"/"$MY_APP":"latest"
diff --git a/.github/workflows/scripts/tag_prod_latest.sh b/.github/workflows/scripts/tag_prod_latest.sh
index 1390fd16..c3c42252 100755
--- a/.github/workflows/scripts/tag_prod_latest.sh
+++ b/.github/workflows/scripts/tag_prod_latest.sh
@@ -8,5 +8,5 @@ export COMMIT=$(echo "$SHA" | cut -c -7)
 
 docker login -u "$DOCKER_ACTOR" -p "$DOCKER_TOKEN" ghcr.io
 docker pull ghcr.io/"$MY_ORG"/"$MY_APP":"pr-""$PR"
-docker tag ghcr.io/"$MY_ORG"/"$MY_APP":"pr-""$PR" ghcr.io/"$MY_ORG"/"$MY_APP":"latest"
-docker push ghcr.io/"$MY_ORG"/"$MY_APP":"latest"
+docker tag ghcr.io/"$MY_ORG"/"$MY_APP":"pr-""$PR" ghcr.io/"$MY_ORG"/"$MY_APP":"latest-rc"
+docker push ghcr.io/"$MY_ORG"/"$MY_APP":"latest-rc"