diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1cc879a55..475825dc3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -96,7 +96,7 @@ jobs:
           aws ecs update-service --cluster discovery-ui-edd --service discovery-ui-edd --force-new-deployment
   publish_production:
     # needs: test
-    if: github.ref == 'refs/heads/TGR-50/remediation-update'
+    if: github.ref == 'refs/heads/production'
     name: Publish image to ECR and update ECS stack
     runs-on: ubuntu-latest
     permissions:
diff --git a/src/server/ApiRoutes/User.js b/src/server/ApiRoutes/User.js
index 3e4a2a621..27b9c39ba 100644
--- a/src/server/ApiRoutes/User.js
+++ b/src/server/ApiRoutes/User.js
@@ -9,7 +9,9 @@ function requireUser(req, res) {
     const originalUrl = req.originalUrl.replace(new RegExp(`^${appConfig.baseUrl}/api/`), `${appConfig.baseUrl}/`)
     // TODO: Express 4.x strips the port from req.hostname, inconveniencing
     // local development. May cautiously retrieve it from headers or local config
-    const fullUrl = encodeURIComponent(`${req.protocol}://${req.hostname}${originalUrl}`);
+    const fullUrl = encodeURIComponent(`${req.protocol}://${req.hostname}${originalUrl}`)
+      // Don't allow internal hostname ([qa-]discovery.nypl.org) to be used in redirect:
+      .replace('discovery.nypl.org', 'www.nypl.org');
     redirect = `${appConfig.loginUrl}?redirect_uri=${fullUrl}`;
     if (!req.originalUrl.includes('/api/')) {
       res.redirect(redirect);