diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 81f93b1..2cf88c8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,9 +6,12 @@ name: Release
 #                             required reviewers)
 #   manual        -> build only (workflow_dispatch)
 #
-# Required GitHub Environment secrets:
+# Deploys are OFF until a cluster exists. To enable, set the repository
+# variable DEPLOY_ENABLED=true (Settings -> Secrets and variables -> Actions ->
+# Variables) and add the per-environment secret:
 #   staging / production:  KUBE_CONFIG  (base64-encoded kubeconfig for the cluster)
-# Images push to GHCR using the built-in GITHUB_TOKEN (packages: write).
+# Until then the deploy jobs are skipped and this workflow only builds + pushes
+# images to GHCR (using the built-in GITHUB_TOKEN, packages: write).
 
 on:
   push:
@@ -78,7 +81,7 @@ jobs:
   deploy-staging:
     name: Deploy to staging
     needs: images
-    if: github.ref == 'refs/heads/main'
+    if: github.ref == 'refs/heads/main' && vars.DEPLOY_ENABLED == 'true'
     runs-on: ubuntu-latest
     environment: staging
     steps:
@@ -92,7 +95,7 @@ jobs:
   deploy-prod:
     name: Deploy to production
     needs: images
-    if: startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'refs/tags/v') && vars.DEPLOY_ENABLED == 'true'
     runs-on: ubuntu-latest
     environment: production
     steps:
diff --git a/deploy/README.md b/deploy/README.md
index 079454d..81fd5f6 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -103,6 +103,7 @@ else comes from the chart defaults plus an optional committed overlay
 
 | What | Where | Value |
 |------|-------|-------|
+| `DEPLOY_ENABLED` | Repository **variable** (Actions → Variables) | `true` to enable the deploy jobs; unset/anything else and they are skipped (the workflow still builds + pushes images) |
 | `KUBE_CONFIG` | Environment secret on **staging** and **production** | base64-encoded kubeconfig for that cluster |
 | Required reviewers | **production** environment protection rules | who approves prod deploys |
 | Packages: write | repo default `GITHUB_TOKEN` | already granted in the workflow |