diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4f230fd50..3e99b3aaa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,6 +21,11 @@ env:
   # Commit timestamp used for deterministic nightly version strings.
   # Defined at workflow level so build-binary and publish-nightly always agree.
   COMMIT_TIMESTAMP: ${{ github.event.head_commit.timestamp }}
+  # SENTRY_CLIENT_ID is baked into the binary at build time. Fork PRs can't
+  # read repo vars (getsentry org policy); fall back to a dummy. The resulting
+  # binary is only smoke-tested (--help) and never shipped, so any non-empty
+  # value works; tests tolerate the dummy via test/preload.ts.
+  SENTRY_CLIENT_ID: ${{ vars.SENTRY_CLIENT_ID || 'ci-fork-pr-dummy' }}
 
 jobs:
   changes:
@@ -112,7 +117,11 @@ jobs:
       - uses: actions/checkout@v6
         with:
           token: ${{ steps.token.outputs.token || github.token }}
-          ref: ${{ github.head_ref || github.ref_name }}
+          # Same-repo PRs (token step succeeded): check out the branch head so
+          # the auto-commit step can push regenerated docs back. Fork PRs leave
+          # `ref` empty so checkout defaults to GITHUB_REF (the pull_request
+          # merge SHA, always fetchable from the base repo with github.token).
+          ref: ${{ steps.token.outcome == 'success' && (github.head_ref || github.ref_name) || '' }}
       - uses: oven-sh/setup-bun@v2
       - uses: actions/cache@v5
         id: cache
@@ -257,8 +266,9 @@ jobs:
           mv package.json.tmp package.json
       - name: Build
         env:
-          SENTRY_CLIENT_ID: ${{ vars.SENTRY_CLIENT_ID }}
-          # Sourcemap upload to Sentry (non-fatal, skipped when token is absent)
+          # Environment-scoped (production) — must be set at step level to
+          # resolve correctly; workflow-level env evaluates before the job's
+          # environment: is applied.
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           # Set on main/release branches so build.ts runs binpunch + creates .gz
           RELEASE_BUILD: ${{ github.event_name != 'pull_request' && '1' || '' }}
@@ -670,7 +680,7 @@ jobs:
         run: bun install --frozen-lockfile
       - name: Bundle
         env:
-          SENTRY_CLIENT_ID: ${{ vars.SENTRY_CLIENT_ID }}
+          # Environment-scoped (production) — see note in build-binary.
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
         run: bun run bundle
       - name: Smoke test (Node.js)
@@ -690,6 +700,12 @@ jobs:
     # SENTRY_AUTH_TOKEN is scoped to the production environment. Needed by
     # the "Inject debug IDs and upload sourcemaps" step below.
     environment: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 'production' || '' }}
+    # Hoisted to job level (not step) so the `if: env.SENTRY_AUTH_TOKEN != ''`
+    # guard on the sourcemap-upload step can see it. Job-level env is resolved
+    # after `environment:` is applied, so the production-scoped secret resolves
+    # correctly.
+    env:
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
     steps:
       - uses: actions/checkout@v6
       - uses: oven-sh/setup-bun@v2
@@ -727,7 +743,6 @@ jobs:
       - name: Inject debug IDs and upload sourcemaps
         if: github.event_name == 'push' && env.SENTRY_AUTH_TOKEN != ''
         env:
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: sentry
           SENTRY_PROJECT: cli-website
         run: |