diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml
index 9cd8deadd..40dc8b668 100644
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@@ -33,19 +33,21 @@ jobs:
     container:
       image: git.sulkta.com/sulkta-infra/straw-build:latest
     steps:
-      - name: Checkout straw
-        uses: actions/checkout@v4
-        with:
-          path: straw
-
-      # strawcore is consumed by rust/strawcore via `path = "../../../strawcore"`,
-      # i.e. a sibling of the straw checkout — so it MUST live next to it.
-      - name: Checkout strawcore (sibling)
-        uses: actions/checkout@v4
-        with:
-          repository: Sulkta-OSS/strawcore
-          ref: main
-          path: strawcore
+      # We clone with plain git instead of actions/checkout@v4: that action is
+      # a Node action, and the straw-build job container ships the Android +
+      # Rust toolchain but NOT node — so checkout@v4 dies with
+      # `exec: "node": not found`. git is in the image, both repos are public,
+      # and a shell clone also sidesteps the runner's flaky data.forgejo.org
+      # action fetch. strawcore must be a SIBLING of straw because
+      # rust/strawcore depends on it via `path = "../../../strawcore"`.
+      - name: Checkout straw + strawcore (sibling, no JS actions)
+        run: |
+          set -euo pipefail
+          git clone https://git.sulkta.com/Sulkta-OSS/straw.git straw
+          git -C straw checkout --detach "${{ github.sha }}"
+          git clone --depth 1 https://git.sulkta.com/Sulkta-OSS/strawcore.git strawcore
+          echo "straw:     $(git -C straw rev-parse --short HEAD)"
+          echo "strawcore: $(git -C strawcore rev-parse --short HEAD)"
 
       - name: Decode signing keystore
         env:
@@ -77,7 +79,9 @@ jobs:
           echo "Built vc=$VC -> $NAME"
           # The whole series is signed with SHA-1 bb9ca96b...; fail loudly if a
           # build ever produces a different signer (would break in-place updates).
-          FP=$("$ANDROID_HOME/build-tools/34.0.0/apksigner" verify --print-certs "$APK" | grep -i 'SHA-1' | grep -o '[0-9a-f]\{40\}')
+          # Pick whatever build-tools the image actually ships (36 today, not 34).
+          APKSIGNER=$(ls "$ANDROID_HOME"/build-tools/*/apksigner | sort -V | tail -1)
+          FP=$("$APKSIGNER" verify --print-certs "$APK" | grep -i 'SHA-1' | grep -o '[0-9a-f]\{40\}')
           echo "signer SHA-1: $FP"
           if [ "$FP" != "bb9ca96b10ebbc1ac48e037a21f350415d18915f" ]; then
             echo "::error::APK signer $FP != canonical key — refusing to publish"; exit 1