diff --git a/.github/workflows/publish-ghcr.yml b/.github/workflows/publish-ghcr.yml
index e59ac4c..8f19fd6 100644
--- a/.github/workflows/publish-ghcr.yml
+++ b/.github/workflows/publish-ghcr.yml
@@ -1,10 +1,12 @@
 name: Publish Docker image to GHCR
+# type: line; This workflow intentionally only builds+pushes on semver tags for releases, to avoid multiple image artifacts and ensure clarity.
 
 on:
+  # Only run on v* semver tags (release publish)
   push:
     tags:
-      - 'v*'
-  workflow_dispatch:
+      - 'v*' # type: line; Only semver tags (v*) publish image, not branches/other refs.
+    # If no version tag is present, the workflow is inert. # type: line; Ensures job only acts when a semver tag is present.
 
 permissions:
   contents: read
@@ -15,8 +17,26 @@ env:
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+
+      - name: Set up Nix Flake environment
+        run: nix develop --command true
+
+      - name: Run Django tests
+        run: |
+          nix develop --command python bfd9000_web/manage.py test --verbosity=2
+
   build-and-push:
     runs-on: ubuntu-latest
+    needs: [test]
 
     steps:
       - name: Checkout repository
@@ -40,6 +60,11 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # Only produce the exact version tag (e.g. "1.2.3" from tag "v1.2.3").
+          # The metadata-action defaults generate 3 tags (version, major.minor, and ref),
+          # causing 3 separate image assets per release. This restricts output to one.
+          tags: |
+            type=semver,pattern={{version}}
 
       - name: Cache Docker layers
         uses: actions/cache@v4
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 484007a..2d4f79f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,11 +3,9 @@ name: Run Django Tests
 # AI should know how to fix it.
 
 on:
-  push:
-    branches: [main, master, develop]
+  # Only run when a review is requested on a PR (not on push, open, etc)
   pull_request:
-    # Run on all PRs, regardless of target branch
-    types: [opened, synchronize, reopened, ready_for_review]
+    types: [review_requested]
 
 jobs:
   test:
@@ -26,3 +24,24 @@ jobs:
       - name: Run Django tests
         run: |
           nix develop --command python bfd9000_web/manage.py test --verbosity=2
+
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image (no push)
+        # Build only to verify the Dockerfile is valid; image is discarded after this job.
+        uses: docker/build-push-action@v5
+        with:
+          context: ./bfd9000_web
+          file: ./bfd9000_web/Dockerfile
+          push: false