diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 957e034..f9cdba1 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -142,11 +142,19 @@ jobs:
       - name: Check for secrets
         run: |
           echo "Checking for potential secrets..."
-          ! find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -l "MAPBOX_ACCESS_TOKEN" || \
-          (echo "❌ Found hardcoded Mapbox token!" && exit 1)
+          # Check for hardcoded Mapbox tokens (pk. or sk. prefixes)
+          if find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "(pk\.|sk\.)[a-zA-Z0-9]{50,}" > /dev/null 2>&1; then
+            echo "❌ Found hardcoded Mapbox token!"
+            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "(pk\.|sk\.)[a-zA-Z0-9]{50,}"
+            exit 1
+          fi
           
-          ! find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -l "ADMIN_PASSWORD" || \
-          (echo "❌ Found hardcoded admin password!" && exit 1)
+          # Check for hardcoded admin passwords (avoid env var references)
+          if find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "ADMIN_PASSWORD.*=.*['\"][^'\"]*['\"]" > /dev/null 2>&1; then
+            echo "❌ Found hardcoded admin password!"
+            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "ADMIN_PASSWORD.*=.*['\"][^'\"]*['\"]"
+            exit 1
+          fi
           
           echo "✅ No hardcoded secrets found"