diff --git a/.changelog/release-process-hardening.md b/.changelog/release-process-hardening.md
new file mode 100644
index 0000000..f88ca83
--- /dev/null
+++ b/.changelog/release-process-hardening.md
@@ -0,0 +1,5 @@
+---
+wallet-cli: none
+---
+
+Require manual release workflow dispatch before creating GitHub releases or publishing release assets.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e031ea6..56028c8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -188,7 +188,7 @@ jobs:
       contents: write
     needs: [parse-tag, build]
     runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/')
+    if: github.event_name == 'workflow_dispatch' && startsWith(github.ref, 'refs/tags/')
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3150797..bfdfd52 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,14 +7,15 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
-permissions:
-  actions: write
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
-  release:
+  prepare:
+    if: github.event_name == 'push'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -69,6 +70,47 @@ jobs:
             gh pr create --head "$BRANCH" --base main --title "chore: release ${VERSION}" --body "Version wallet-cli to ${VERSION} and update CHANGELOG.md."
           fi
 
+  release:
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      actions: write
+      contents: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "22"
+
+      - name: Setup pnpm
+        run: |
+          corepack enable
+          corepack prepare pnpm@11.0.8 --activate
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Apply pending changelogs
+        run: pnpm changelog:version
+
+      - name: Check release tree is clean
+        id: diff
+        run: |
+          if git diff --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+            echo "Pending changelog changes exist. Merge the generated release PR before dispatching a release." >&2
+            git diff -- package.json CHANGELOG.md .changelog
+            exit 1
+          fi
+
       - name: Create release tag when version is unreleased
         if: steps.diff.outputs.changed == 'false'
         env: