diff --git a/.github/workflows/forward-merge.yml b/.github/workflows/forward-merge.yml
index 9567229a..024e07c0 100644
--- a/.github/workflows/forward-merge.yml
+++ b/.github/workflows/forward-merge.yml
@@ -97,6 +97,25 @@ jobs:
             git commit -m "chore: sync staging release-please manifest to ${TAG}"
           fi
 
+      # release-please bumps the project version in pyproject.toml but never
+      # touches uv.lock, which records the editable ocotilloapi version.
+      # tests.yml runs `uv sync --locked`, so the back-merge PR fails CI until
+      # the lockfile is re-locked (see commit 27751110). Idempotent: no
+      # lockfile change -> no commit.
+      - name: Install uv
+        uses: astral-sh/setup-uv@v8.2.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: uv.lock
+
+      - name: Sync uv.lock to released version
+        run: |
+          uv lock
+          if ! git diff --quiet -- uv.lock; then
+            git add uv.lock
+            git commit -m "chore: sync uv.lock to released version ${TAG#v}"
+          fi
+
       # Retry-safe: skip if a PR is already open for this merge; force-with-lease
       # handles a branch left behind by a previous partial run.
       - name: Push branch and open PR
@@ -131,6 +150,35 @@ jobs:
       SOURCE: ${{ inputs.source_branch }}
     steps:
       - uses: actions/checkout@v6.0.3
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.source_branch }}
+          token: ${{ secrets.FORWARD_MERGE_TOKEN || github.token }}
+      - name: Set up git user
+        run: |
+          git config user.name  "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      # The PR head is the hotfix branch itself, so the lockfile sync commit
+      # (release-please bumped pyproject.toml but not uv.lock; tests run
+      # `uv sync --locked`) is pushed directly to the hotfix branch before the
+      # PR is opened. Idempotent: lockfile already in sync -> no commit, no
+      # push. Plain push (not force) so an out-of-date checkout fails loudly
+      # instead of clobbering newer hotfix commits.
+      - name: Install uv
+        uses: astral-sh/setup-uv@v8.2.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: uv.lock
+
+      - name: Sync uv.lock to released version
+        run: |
+          uv lock
+          if ! git diff --quiet -- uv.lock; then
+            git add uv.lock
+            git commit -m "chore: sync uv.lock to released version ${TAG#v}"
+            git push origin "HEAD:${SOURCE}"
+          fi
 
       # Retry-safe: skip if a PR is already open from this hotfix branch.
       - name: Open PR hotfix -> production