diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index e057e4ab8..34a5e8694 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -227,6 +227,7 @@ jobs:
         id: login-ecr-prod
         uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
       - name: Push image to registries for prod aws account
+        if: ${{ startsWith(needs.generate_docker_tag.outputs.docker_tag, 'rls-r') }}
         env:
           IMAGE_TAG: ${{ needs.generate_docker_tag.outputs.docker_tag }}
           REGISTRY: ${{ steps.login-ecr-prod.outputs.registry }}
diff --git a/.github/workflows/ecs-deploy.yml b/.github/workflows/ecs-deploy.yml
index 81748fd00..2a87e55ab 100644
--- a/.github/workflows/ecs-deploy.yml
+++ b/.github/workflows/ecs-deploy.yml
@@ -95,6 +95,13 @@ jobs:
         with:
           aws-region: ${{ vars.AWS_REGION }}
           role-to-assume: arn:aws:iam::${{ secrets.PROD_ACCOUNT_ID }}:role/delegatedadmin/developer/dpc-${{ inputs.env }}-github-actions
+
+      - name: Fail if non-release image tag used for upper environments
+        if: ${{ (inputs.env == 'sandbox' || inputs.env == 'prod') && !startsWith(inputs.ecr_image_tag, 'rls-r') }}
+        run: |
+          echo "Release tag must be explicitly specified with format 'rls-rXYZ' for upper environments."
+          exit 1
+
       - name: Set Deployed Image Tag
         id: image-tag
         env:
@@ -109,6 +116,7 @@ jobs:
             echo "image_tag=$EXPLICIT_TAG" >> "$GITHUB_OUTPUT"
           fi
           echo $image_tag
+
       - uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
         name: Slack Starting
         with: