diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 5e57c6e4..7bc67a0e 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -173,18 +173,18 @@ jobs:
           [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via 'ip route'"; exit 1; }
           RESOLVE="--resolve $HOST:443:$HOST_IP"
           echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
-          curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null
+          curl -fsS "$RESOLVE" --max-time 10 "$URL/login" -o /dev/null
           # Pin the preload-list-eligible HSTS value, not just header presence:
           # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must
           # fail this check rather than pass it silently.
-          curl -fsS $RESOLVE --max-time 10 -I "$URL/" \
+          curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \
             | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload'
           # Permissions-Policy denies APIs the app does not use (camera,
           # microphone, geolocation). A regression that loosens or drops the
           # header now fails the smoke step.
-          curl -fsS $RESOLVE --max-time 10 -I "$URL/" \
+          curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \
             | grep -Eqi 'permissions-policy:[[:space:]]*camera=\(\),[[:space:]]*microphone=\(\),[[:space:]]*geolocation=\(\)'
-          status=$(curl -s $RESOLVE -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
+          status=$(curl -s "$RESOLVE" -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
           [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; }
           echo "All smoke checks passed"
 
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 714dc864..d980ca10 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -117,18 +117,18 @@ jobs:
           [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via 'ip route'"; exit 1; }
           RESOLVE="--resolve $HOST:443:$HOST_IP"
           echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
-          curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null
+          curl -fsS "$RESOLVE" --max-time 10 "$URL/login" -o /dev/null
           # Pin the preload-list-eligible HSTS value, not just header presence:
           # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must
           # fail this check rather than pass it silently.
-          curl -fsS $RESOLVE --max-time 10 -I "$URL/" \
+          curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \
             | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload'
           # Permissions-Policy denies APIs the app does not use (camera,
           # microphone, geolocation). A regression that loosens or drops the
           # header now fails the smoke step.
-          curl -fsS $RESOLVE --max-time 10 -I "$URL/" \
+          curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \
             | grep -Eqi 'permissions-policy:[[:space:]]*camera=\(\),[[:space:]]*microphone=\(\),[[:space:]]*geolocation=\(\)'
-          status=$(curl -s $RESOLVE -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
+          status=$(curl -s "$RESOLVE" -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
           [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; }
           echo "All smoke checks passed"