diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index cb369e49..73dc338e 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -43,7 +43,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git bash
-          git clone --depth 200 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 200 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
           if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
             git fetch --depth 200 origin "${GITHUB_BASE_REF}" || true
           else
@@ -87,7 +87,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git bash
-          git clone --depth 20 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 20 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
           git fetch origin ${GITHUB_BASE_REF}:base
       - name: Require [guardrail-change] in commits touching guardrails
         run: |
@@ -108,7 +108,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git bash
-          git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 50 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Enforce 500-line hard cap
         run: |
           chmod +x scripts/check-loc.sh
@@ -123,7 +123,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git
-          git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 50 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Scan for secrets
         run: |
           gitleaks detect --source . --no-git \
@@ -141,7 +141,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Lint ai-compliance-sdk
         run: |
           [ -d "ai-compliance-sdk" ] || exit 0
@@ -162,7 +162,7 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Lint (ruff) + type-check (mypy)
         run: |
           pip install --quiet ruff mypy
@@ -193,7 +193,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Lint + type-check
         run: |
           fail=0
@@ -215,7 +215,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Build Next.js services
         run: |
           fail=0
@@ -239,7 +239,7 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Install Node.js + Go
         run: |
           curl -fsSL https://deb.nodesource.com/setup_20.x | bash - > /dev/null 2>&1
@@ -282,7 +282,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git curl bash
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Install syft + grype
         run: |
           curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh  | sh -s -- -b /usr/local/bin
@@ -304,7 +304,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Test ai-compliance-sdk
         run: |
           [ -d "ai-compliance-sdk" ] || exit 0
@@ -324,7 +324,7 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: GT-Bremse measure-coverage report
         run: |
           python3 scripts/gt_measure_gap_analysis.py --json /tmp/gt_gap_report.json > /tmp/gt_gap_report.md
@@ -355,7 +355,7 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Test backend-compliance
         run: |
           [ -d "backend-compliance" ] || exit 0
@@ -375,7 +375,7 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Test document-crawler
         run: |
           [ -d "document-crawler" ] || exit 0
@@ -395,7 +395,7 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Test dsms-gateway
         run: |
           [ -d "dsms-gateway" ] || exit 0
@@ -417,7 +417,7 @@ jobs:
       - name: Checkout
         run: |
           apk add --no-cache git python3 py3-yaml
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Validate every Dockerfile + compose block declares BUILD_SHA
         run: |
           python3 - <<'PY'
@@ -456,6 +456,6 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Validate controls
         run: python scripts/validate-controls.py