diff --git a/.github/workflows/dotnet-main.yml b/.github/workflows/dotnet-main.yml
index 22301bafd..0f98f568d 100644
--- a/.github/workflows/dotnet-main.yml
+++ b/.github/workflows/dotnet-main.yml
@@ -8,6 +8,10 @@ on:
 env:
   DEFAULT_DOTNET_VERSION: "8.0.x"
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   build:
     strategy:
@@ -98,10 +102,13 @@ jobs:
             ${{ github.workspace }}/packages/**/*.nupkg
 
   publish-nuget:
-    needs: sign
+    needs: [sign, detect-pr-label]
     runs-on: ubuntu-latest
     environment:
       name: nuget-beta
+    # Only run publish when the merged PR does NOT contain the skip label.
+    # The label name is configurable via the `SKIP_PUBLISH_LABEL` env in the detector job below.
+    if: needs.detect-pr-label.outputs.skip_publish != 'true'
     steps:
       - name: Download package
         uses: actions/download-artifact@v5
@@ -112,10 +119,12 @@ jobs:
         run: dotnet nuget push ./*.nupkg --source "https://api.nuget.org/v3/index.json" --api-key ${{ secrets.NUGET_PACKAGE_PUSH_TOKEN }}
 
   publish-azure-artifacts:
-    needs: sign
+    needs: [sign, detect-pr-label]
     runs-on: windows-latest
     environment:
       name: azure-artifacts
+    # Skip pushing to Azure Artifacts when the merged PR requested skipping the publish.
+    if: needs.detect-pr-label.outputs.skip_publish != 'true'
     steps:
       - name: Download package
         uses: actions/download-artifact@v5
@@ -144,3 +153,35 @@ jobs:
     uses: ./.github/workflows/code-coverage.yml
     secrets: inherit
 
+  detect-pr-label:
+    # This job detects whether the commit that triggered this push
+    # is associated with a merged pull request that contains a label
+    # indicating we should skip publishing packages.
+    runs-on: ubuntu-latest
+    outputs:
+      skip_publish: ${{ steps.check.outputs.skip }}
+    env:
+      # Change this label name to whatever you use to skip publishing.
+      SKIP_PUBLISH_LABEL: skip-nuget-publish
+    steps:
+        id: check
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          LABEL="${SKIP_PUBLISH_LABEL}"
+          # Get the first PR associated with this commit (if any)
+          number=$(gh api -H "Accept: application/vnd.github+json" \
+            "/repos/${{ github.repository }}/commits/${{ github.sha }}/pulls" --jq '.[0].number' 2>/dev/null || echo "")
+          if [ -z "$number" ] || [ "$number" = "null" ]; then
+            # No PR found for this commit -> do not skip by default
+            echo "skip=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # List label names for the PR and check for an exact match
+          has_label=$(gh api "/repos/${{ github.repository }}/issues/$number/labels" --jq '.[].name' 2>/dev/null | grep -Fx -- "$LABEL" || true)
+          if [ -n "$has_label" ]; then
+            echo "skip=true" >> $GITHUB_OUTPUT
+          else
+            echo "skip=false" >> $GITHUB_OUTPUT
+          fi