diff --git a/.github/workflows/build-android.yml b/.github/workflows/build-android.yml
index 8ebfa1d8..b682b689 100644
--- a/.github/workflows/build-android.yml
+++ b/.github/workflows/build-android.yml
@@ -5,10 +5,13 @@ name: Hash Bags Android build
 # - PRs targeting dev/main (gate merges)
 # - manual via workflow_dispatch
 on:
+  # PR-from-fork triggers strip secrets in Gitea (and GitHub) for security.
+  # We mirror github-such-software/hash-wallet → Builds/hash-wallet via PRs,
+  # so a pull_request trigger here would always run without secrets.
+  # Listen only to push events on the destination branch (post-merge) so
+  # secrets are reliably available.
   push:
     branches: [dev, main]
-  pull_request:
-    branches: [dev, main]
   workflow_dispatch:
 
 concurrency:
@@ -189,8 +192,19 @@ jobs:
           ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
         run: |
           set -e
+          # Debug visibility — prints lengths only, never values. If a secret
+          # length is 0, Gitea Actions is not passing it to this run (most
+          # commonly because the run was triggered by a from-fork PR).
+          echo "ANDROID_KEYSTORE_BASE64 length: ${#ANDROID_KEYSTORE_BASE64}"
+          echo "ANDROID_KEYSTORE_PASSWORD length: ${#ANDROID_KEYSTORE_PASSWORD}"
+          echo "ANDROID_KEY_ALIAS length: ${#ANDROID_KEY_ALIAS}"
+          echo "ANDROID_KEY_PASSWORD length: ${#ANDROID_KEY_PASSWORD}"
           if [[ -z "$ANDROID_KEYSTORE_BASE64" ]]; then
-            echo "FATAL: ANDROID_KEYSTORE_BASE64 not set — configure Gitea Actions secrets first"
+            echo "FATAL: ANDROID_KEYSTORE_BASE64 not reaching the runner."
+            echo "Check: (1) secret is in repo Settings → Actions → Secrets;"
+            echo "       (2) workflow was triggered by 'push' or 'workflow_dispatch'"
+            echo "           (PR triggers from a fork strip secrets);"
+            echo "       (3) Gitea's runner is configured to pass secrets."
             exit 1
           fi
           # Write decoded keystore next to build.gradle (storeFile path
diff --git a/.github/workflows/build-ios-sim.yml b/.github/workflows/build-ios-sim.yml
index b94c1f64..6be9bafe 100644
--- a/.github/workflows/build-ios-sim.yml
+++ b/.github/workflows/build-ios-sim.yml
@@ -8,10 +8,9 @@ name: Hash Bags iOS Simulator build
 # Phase 2 (separate workflow): full TestFlight pipeline with signing.
 
 on:
+  # See note in build-android.yml about Gitea PR-from-fork secret stripping.
   push:
     branches: [dev, main]
-  pull_request:
-    branches: [dev, main]
   workflow_dispatch:
 
 # Cancel in-flight runs when a newer commit lands on the same branch — so a
@@ -62,11 +61,9 @@ jobs:
             pod --version
             exit 0
           fi
-          # Prefer Homebrew on macOS — no sudo, installs into its own prefix.
           if command -v brew >/dev/null; then
             brew install cocoapods
           else
-            # Fallback: user-local gem install (no sudo).
             export GEM_HOME="$HOME/.gem"
             export PATH="$GEM_HOME/bin:$PATH"
             echo "GEM_HOME=$HOME/.gem" >> "$GITHUB_ENV"
@@ -75,6 +72,27 @@ jobs:
           fi
           pod --version
 
+      - name: Install Go + gomobile (if missing)
+        run: |
+          if ! command -v go >/dev/null; then
+            if command -v brew >/dev/null; then
+              brew install go
+            else
+              echo "Go missing and brew not available"; exit 1
+            fi
+          fi
+          go version
+          # Ensure $(go env GOPATH)/bin is on PATH for subsequent steps.
+          GOPATH=$(go env GOPATH)
+          echo "$GOPATH/bin" >> "$GITHUB_PATH"
+          export PATH="$PATH:$GOPATH/bin"
+          # gomobile + gobind are needed by scripts/build_bitbox_flutter.sh
+          if ! command -v gomobile >/dev/null; then
+            go install golang.org/x/mobile/cmd/gomobile@latest
+            go install golang.org/x/mobile/cmd/gobind@latest
+          fi
+          which gomobile && gomobile version || true
+
       - name: Show toolchain
         run: |
           set -x
diff --git a/.github/workflows/build-ios-testflight.yml b/.github/workflows/build-ios-testflight.yml
index 4acd8192..27e818cd 100644
--- a/.github/workflows/build-ios-testflight.yml
+++ b/.github/workflows/build-ios-testflight.yml
@@ -76,6 +76,25 @@ jobs:
           fi
           pod --version
 
+      - name: Install Go + gomobile (if missing)
+        run: |
+          if ! command -v go >/dev/null; then
+            if command -v brew >/dev/null; then
+              brew install go
+            else
+              echo "Go missing and brew not available"; exit 1
+            fi
+          fi
+          go version
+          GOPATH=$(go env GOPATH)
+          echo "$GOPATH/bin" >> "$GITHUB_PATH"
+          export PATH="$PATH:$GOPATH/bin"
+          if ! command -v gomobile >/dev/null; then
+            go install golang.org/x/mobile/cmd/gomobile@latest
+            go install golang.org/x/mobile/cmd/gobind@latest
+          fi
+          which gomobile && gomobile version || true
+
       - name: Show toolchain
         run: |
           set -x
diff --git a/.github/workflows/build-linux.yml b/.github/workflows/build-linux.yml
index 2aaba566..e8422c0e 100644
--- a/.github/workflows/build-linux.yml
+++ b/.github/workflows/build-linux.yml
@@ -5,10 +5,12 @@ name: Hash Bags Linux build
 # - on PRs targeting dev/main (gates merges)
 # - manual via workflow_dispatch ("Run workflow" button in the UI)
 on:
+  # See note in build-android.yml about pull_request vs push triggers and
+  # Gitea Actions' from-fork secret stripping. Push-only here too for
+  # consistency (no secrets are required for Linux build today, but if we
+  # add any in future this avoids surprises).
   push:
     branches: [dev, main]
-  pull_request:
-    branches: [dev, main]
   workflow_dispatch:
 
 concurrency: