diff --git a/.github/workflows/CD-publish-deps-image.yml b/.github/workflows/CD-publish-deps-image.yml
index 7b65689811..c97f1fb675 100644
--- a/.github/workflows/CD-publish-deps-image.yml
+++ b/.github/workflows/CD-publish-deps-image.yml
@@ -76,10 +76,9 @@ jobs:
             docker push ghcr.io/stjude/ppserver:latest
             docker push ghcr.io/stjude/ppfull:latest
 
-            # TODO: !!! fix merging back to master !!!
             echo "merging to master"
             git fetch --depth=10 origin master:master
             git switch master
-            git merge deps-image
+            git merge $BRANCH
             git push
           fi
diff --git a/.github/workflows/CD-release-packages.yml b/.github/workflows/CD-release-packages.yml
index a9a644a3aa..e46115d6eb 100644
--- a/.github/workflows/CD-release-packages.yml
+++ b/.github/workflows/CD-release-packages.yml
@@ -3,7 +3,7 @@ name: "Release Packages"
 on:
   push:
     branches:
-      - release
+      - pkg-release
       - fake-release
     paths-ignore:
       - '**.md'
@@ -21,7 +21,16 @@ on:
         description: Build secret
 
 jobs:
+  unit_test:
+    uses: ./.github/workflows/CI-unit.yml
+    secrets: inherit # pragma: allowlist secret
+
+  integration_test:
+    uses: ./.github/workflows/CI-integration.yml
+    secrets: inherit # pragma: allowlist secret
+
   build:
+    needs: [unit_test, integration_test]
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -67,7 +76,7 @@ jobs:
           node-version: '16'
           registry-url: 'https://registry.npmjs.org'
           scope: '@sjcrh'
-          
+
       - name: ⚡ Cache
         uses: actions/cache@v2
         with:
@@ -92,11 +101,21 @@ jobs:
       - name: Publish packages
         run: |
           BRANCH=$(git rev-parse --abbrev-ref HEAD)
-          if [[ "$BRANCH" != "release" && "$BRANCH" != "master" ]]; then 
+          if [[ "$BRANCH" != "pkg-release" && "$BRANCH" != "master" ]]; then 
             echo "skipping publishing"
-          else 
+          else
+            # ./build/bump.js is called from within `ci-version-update.sh`, 
+            # get the same updated workspaces but don't edit the package.json's (no -w option)
+            UPDATED=$(./build/bump.js prerelease)
             ./build/ci-npm-publish.sh "$UPDATED"
-            # !!! ---- merge back to master --- !!!
+
+            if [[ "$BRANCH" != "master" ]]; then
+              echo "merging to master"
+              git fetch --depth=10 origin master:master
+              git switch master
+              git merge $BRANCH
+              git push
+            fi
           fi
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }}
diff --git a/.github/workflows/CI-integration.yml b/.github/workflows/CI-integration.yml
index 1d711560ee..04915f6c49 100644
--- a/.github/workflows/CI-integration.yml
+++ b/.github/workflows/CI-integration.yml
@@ -8,6 +8,7 @@ on:
       build_secret:
         type: string
         description: Build secret
+  workflow_call: {}
 
 jobs:
   build:
@@ -16,13 +17,15 @@ jobs:
     timeout-minutes: 20
     steps:
       - name: Check secret
+        if: github.event_name == 'workflow_dispatch'
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ "${{ github.event.inputs.build_secret }}" != "${{ secrets.BUILD_SECRET }}" ]; then
+          if [ "${{ github.event.inputs.build_secret }}" != "${{ secrets.BUILD_SECRET }}" ]; then
             echo "Wrong build secret."
             exit 1
           fi 
 
       - name: Check user permission
+        if: github.event_name == 'workflow_dispatch'
         id: check
         uses: scherermichael-oss/action-has-permission@master
         with:
@@ -31,9 +34,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Exit if user doesn't have write permission
+        if: github.event_name == 'workflow_dispatch'
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ "${{ steps.check.outputs.has-permission }}" = "false" ]
-            then
+          if [ "${{ steps.check.outputs.has-permission }}" = "false" ]; then
             echo "Only users with write permission are allowed to execute this workflow."
             exit 1
           fi
diff --git a/.github/workflows/CI-unit.yml b/.github/workflows/CI-unit.yml
index 0547390c79..692d52675d 100644
--- a/.github/workflows/CI-unit.yml
+++ b/.github/workflows/CI-unit.yml
@@ -18,9 +18,11 @@ on:
       - '.**ignore'
       - 'docs/**'
 
+  workflow_call: {}
+
 jobs:
   build:
-    if: (github.event_name == 'push' && github.event.head_commit.author.email != 'PPTeam@STJUDE.ORG') || (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
+    if: (github.event_name == 'workflow_call') || (github.event_name == 'push' && github.event.head_commit.author.email != 'PPTeam@STJUDE.ORG') || (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
     runs-on: ubuntu-latest
     timeout-minutes: 20
 
diff --git a/container/pack.sh b/container/pack.sh
index a97947e783..55a5a8d52a 100755
--- a/container/pack.sh
+++ b/container/pack.sh
@@ -6,27 +6,25 @@ set -euxo pipefail
 # - will pack workspaces 
 # - replace each workspace package.json's dependency versions
 #   with the tarball location as copied into the Docker build
+#
+# call from the proteinpaint/container dir
 
-# from the proteinpaint/container dir
+# defaults
+PKGPATH=/home/root/pp/tmppack
+TMPDIR=/home/root/pp/tmppack/
 
-WORKSPACES="rust server client front"
-if [[ "$1" != "" ]]; then
-	WORKSPACES="$1"
+if (( $# == 1 )); then
+	PKGPATH="$1"
 fi
 
-TMPDIR=/home/root/pp/tmppack/
-if [[ "$2" != "" ]]; then
+if (( $# == 2 )); then
+	PKGPATH="$1"
 	TMPDIR="$2"
 fi
 
 rm -rf tmppack
 mkdir tmppack
 
-PKGPATH=/home/root/pp/tmppack
-if (( $# == 1 )); then
-	PKGPATH="$1"
-fi
-
 FRONTTDEPNAME="@sjcrh/proteinpaint-front"
 SERVERTDEPNAME="@sjcrh/proteinpaint-server"