diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index f11c4e5..d8dd6b0 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -3,6 +3,8 @@ name: Build and Publish Rocks to GHCR
 on:
   push:
     branches: [main]
+  pull_request:
+    branches: [main]
   workflow_dispatch:
 
 jobs:
@@ -32,7 +34,7 @@ jobs:
     uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main
     with:
       rock-repo: ${{ github.repository }}
-      rock-repo-commit: ${{ github.ref }}
+      rock-repo-commit: ${{ github.head_ref || github.ref_name }}
       rockfile-directory: ${{ matrix.rock.location }}
       oci-archive-name: ${{ matrix.rock.name }}_${{ matrix.rock.tag }}
       arch-map: ${{ needs.get-runners.outputs.arch-map }}
@@ -51,6 +53,9 @@ jobs:
 
   upload:
     needs: [tag-rocks, test]
+    if: |
+      github.event_name == 'push' &&
+      github.ref == 'refs/heads/main'
     strategy:
       matrix:
         rock: ${{ fromJSON(needs.tag-rocks.outputs.json_result) }}
@@ -67,3 +72,4 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
diff --git a/dotnet-deps-rock/9.0-25.04/rockcraft.yaml b/dotnet-deps-rock/9.0-25.04/rockcraft.yaml
index 9bc25cd..a35156b 100644
--- a/dotnet-deps-rock/9.0-25.04/rockcraft.yaml
+++ b/dotnet-deps-rock/9.0-25.04/rockcraft.yaml
@@ -37,4 +37,10 @@ parts:
         libunwind8_libs \
         zlib1g_libs
 
-
+  deb-security-manifest:
+    after: [deps]
+    plugin: make
+    source: https://github.com/canonical/rocks-security-manifest
+    source-type: git
+    source-branch: main
+    override-prime: gen_manifest