diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 102c8ab..7cf27e6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -139,6 +139,13 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Build frontend
+        # NEXT_PUBLIC_* vars are inlined into the client bundle at build time,
+        # so they must be forwarded explicitly from secrets here — GitHub
+        # Secrets are NOT automatically exposed as env vars to `run` steps.
+        # If this env block is missing, released builds ship with undefined
+        # values where the Turnstile site key should be, and login breaks.
+        env:
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
         run: pnpm exec next build
 
       - name: Verify frontend dist exists
diff --git a/.github/workflows/rolling-release.yml b/.github/workflows/rolling-release.yml
index c282596..89e9098 100644
--- a/.github/workflows/rolling-release.yml
+++ b/.github/workflows/rolling-release.yml
@@ -138,6 +138,13 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Build frontend
+        # NEXT_PUBLIC_* vars are inlined into the client bundle at build time,
+        # so they must be forwarded explicitly from secrets here — GitHub
+        # Secrets are NOT automatically exposed as env vars to `run` steps.
+        # If this env block is missing, released builds ship with undefined
+        # values where the Turnstile site key should be, and login breaks.
+        env:
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
         run: pnpm exec next build
 
       - name: Verify frontend dist exists