diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml
index 69052f1..54ce7cc 100644
--- a/.github/workflows/publish-image.yml
+++ b/.github/workflows/publish-image.yml
@@ -14,7 +14,12 @@ on:
     types: [runtime-published]
   push:
     branches: [main]
-  pull_request:
+  # NOTE: do NOT add `pull_request:` here. The reusable
+  # publish-template-image workflow has no PR-skip guard, so a PR
+  # trigger pushes per-PR :latest clobbers and sha-<7> tags for
+  # unmerged code to GHCR. PRs already get a Dockerfile build smoke
+  # test from the validate-workspace-template workflow (no push) —
+  # that's the right place for PR-time verification.
   workflow_dispatch:
     inputs:
       runtime_version:
@@ -35,6 +40,6 @@ jobs:
       # exact version PyPI just published. Forwarded to the reusable
       # workflow as a docker --build-arg so the cache key changes
       # per-version and pip install resolves freshly.
-      # On other events (push/PR/manual without input), this is empty
-      # and the Dockerfile's default (requirements.txt pin) applies.
+      # On other events (push to main / manual without input), this is
+      # empty and the Dockerfile's default (requirements.txt pin) applies.
       runtime_version: ${{ github.event.client_payload.runtime_version || inputs.runtime_version || '' }}