diff --git a/services/actions/variables.go b/services/actions/variables.go
index fed1fd0890..a9f42105a3 100644
--- a/services/actions/variables.go
+++ b/services/actions/variables.go
@@ -87,7 +87,7 @@ func GetVariable(ctx context.Context, opts actions_model.FindVariablesOpts) (*ac
 // https://docs.github.com/en/actions/learn-github-actions/variables#naming-conventions-for-configuration-variables
 // https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets
 var (
-	forbiddenEnvNameCIRx = regexp.MustCompile("(?i)^CI")
+	forbiddenEnvNameCIRx = regexp.MustCompile("(?i)^CI$")
 )
 
 func envNameCIRegexMatch(name string) error {
diff --git a/services/actions/variables_test.go b/services/actions/variables_test.go
new file mode 100644
index 0000000000..f69bc674e1
--- /dev/null
+++ b/services/actions/variables_test.go
@@ -0,0 +1,17 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestServicesAction_envNameCIRegexMatch(t *testing.T) {
+	require.ErrorContains(t, envNameCIRegexMatch("ci"), "cannot be ci")
+	require.ErrorContains(t, envNameCIRegexMatch("CI"), "cannot be ci")
+	assert.NoError(t, envNameCIRegexMatch("CI_SOMETHING"))
+}