diff --git a/.github/workflows/on-release-main.yml b/.github/workflows/on-release-main.yml
index 9c7ecf0..6be48a2 100644
--- a/.github/workflows/on-release-main.yml
+++ b/.github/workflows/on-release-main.yml
@@ -2,6 +2,11 @@ name: release-main
 
 on:
   workflow_dispatch:
+    inputs:
+      debug_tmate:
+        description: "Open an interactive tmate debug session if a job fails"
+        type: boolean
+        default: false
   release:
     types: [published]
     branches: [main]
@@ -22,6 +27,9 @@ jobs:
 
       fail-fast: false
     runs-on: ${{ matrix.os }}
+    # Successful builds take ~35-60 min; cap well under the 6h default so a stuck
+    # job (e.g. a hung publish) fails fast instead of burning a runner for 6 hours.
+    timeout-minutes: 180
     defaults:
       run:
         shell: bash
@@ -109,8 +117,13 @@ jobs:
           poetry publish --skip-existing
         if: github.event_name == 'release'
 
+      # Only open a tmate session when explicitly requested via workflow_dispatch.
+      # On a release event `inputs.debug_tmate` is false, so a failed job fails fast
+      # instead of holding the runner open until the 6h job timeout. The step is also
+      # bounded by timeout-minutes as a safety net.
       - name: Setup tmate
-        if: failure()
+        if: ${{ failure() && inputs.debug_tmate }}
+        timeout-minutes: 30
         uses: mxschmitt/action-tmate@v3
         with:
           limit-access-to-actor: true