diff --git a/.github/workflows/cdn-dryrun.yml b/.github/workflows/cdn-dryrun.yml
new file mode 100644
index 0000000..43726cd
--- /dev/null
+++ b/.github/workflows/cdn-dryrun.yml
@@ -0,0 +1,56 @@
+name: CDN Dry-Run
+
+on:
+  pull_request:
+    paths:
+      - "packages/widget/**"
+      - "packages/sdk/**"
+      - ".github/workflows/cdn-dryrun.yml"
+      - ".github/workflows/npm-publish.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  dryrun-widget:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: "1.3.13"
+
+      - run: bun install
+
+      - run: bun run build
+
+      - name: Configure AWS credentials (read-only)
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: ${{ secrets.CDN_AWS_ROLE_READER }}
+          role-session-name: gha-cdn-dryrun-widget-${{ github.run_id }}
+          aws-region: ${{ secrets.CDN_AWS_REGION }}
+
+      - name: List existing widget objects at CDN
+        env:
+          BUCKET: ${{ secrets.CDN_S3_BUCKET }}
+        run: |
+          echo "::group::existing s3://${BUCKET}/widgets/"
+          aws s3 ls "s3://${BUCKET}/widgets/" --recursive --human-readable --summarize || echo "(no widgets at CDN yet)"
+          echo "::endgroup::"
+
+      - name: Dry-run widget sync
+        env:
+          BUCKET: ${{ secrets.CDN_S3_BUCKET }}
+        run: |
+          VER=$(node -p "require('./packages/widget/package.json').version")
+          echo "Would publish widget v${VER}"
+          echo "::group::dryrun → s3://${BUCKET}/widgets/v${VER}/"
+          aws s3 sync ./packages/widget/dist/ "s3://${BUCKET}/widgets/v${VER}/" --dryrun
+          echo "::endgroup::"
+          echo "::group::dryrun → s3://${BUCKET}/widgets/latest/"
+          aws s3 sync ./packages/widget/dist/ "s3://${BUCKET}/widgets/latest/" --dryrun
+          echo "::endgroup::"
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 169ca32..bfa553a 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -3,6 +3,7 @@ name: npm Publish
 on:
   push:
     branches: [main]
+  workflow_dispatch:
 
 permissions:
   contents: write
@@ -97,7 +98,9 @@ jobs:
 
   publish-cdn-widget:
     needs: release-please
-    if: needs.release-please.outputs.widget--release_created == 'true'
+    if: |
+      needs.release-please.outputs.widget--release_created == 'true' ||
+      github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -113,6 +116,19 @@ jobs:
 
       - run: bun run build
 
+      - name: Resolve widget version
+        id: ver
+        env:
+          RELEASE_VERSION: ${{ needs.release-please.outputs.widget--version }}
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VER=$(node -p "require('./packages/widget/package.json').version")
+          else
+            VER="${RELEASE_VERSION}"
+          fi
+          echo "version=${VER}" >> $GITHUB_OUTPUT
+          echo "Resolved widget version: ${VER}"
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v6
         with:
@@ -123,7 +139,7 @@ jobs:
       - name: Upload widget bundle to CDN (versioned + latest)
         env:
           BUCKET: ${{ secrets.CDN_S3_BUCKET }}
-          VERSION: ${{ needs.release-please.outputs.widget--version }}
+          VERSION: ${{ steps.ver.outputs.version }}
         run: |
           aws s3 sync ./packages/widget/dist/ "s3://${BUCKET}/widgets/v${VERSION}/" --delete
           aws s3 sync ./packages/widget/dist/ "s3://${BUCKET}/widgets/latest/" --delete