diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 8b5bef4..b2a6530 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -97,24 +97,33 @@ jobs:
 
   auto-merge:
     # Fusion automatique OPT-IN : poser le label `auto-merge` sur la PR.
-    # Ne s'execute que si les 3 checks passent (needs) ET si le label est present.
-    # Plus fiable que le merge_when_checks_succeed natif de Forgejo (qui ne se
-    # declenche pas toujours au passage au vert). Fusionne via l'API REST.
+    # Ne s'execute que si les 3 checks passent (needs).
+    # IMPORTANT : le filtrage par label se fait DANS le step via l'API, pas dans
+    # `if:` — l'expression contains(github.event.pull_request.labels.*.name, ...)
+    # de Forgejo n'est pas fiable (elle s'evalue a vrai meme sans label, ce qui
+    # fusionnait toute PR verte). La verification shell sur l'API est le vrai gate.
     needs: [secret-scan, php-lint, static-tests]
-    if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'auto-merge')
+    if: github.event_name == 'pull_request'
     runs-on: docker
     steps:
       - name: Install curl
         run: apt-get update -qq && apt-get install -y -qq curl ca-certificates >/dev/null
-      - name: Merge PR (squash) once CI is green
+      - name: Merge PR (squash) si label auto-merge present et CI verte
         run: |
           API="${{ github.server_url }}/api/v1/repos/${{ github.repository }}"
           PR="${{ github.event.pull_request.number }}"
+          TOKEN="${{ secrets.FORGEJO_TOKEN }}"
+          labels=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels")
+          if ! printf '%s' "$labels" | grep -q '"name"[[:space:]]*:[[:space:]]*"auto-merge"'; then
+            echo "Pas de label 'auto-merge' sur la PR #$PR -> relecture manuelle, pas de fusion auto."
+            exit 0
+          fi
+          echo "Label 'auto-merge' present + CI verte -> fusion de la PR #$PR"
           code=$(curl -s -o /tmp/resp -w "%{http_code}" -X POST \
-            -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
+            -H "Authorization: token $TOKEN" \
             -H "Content-Type: application/json" \
             -d '{"Do":"squash","delete_branch_after_merge":true}' \
             "$API/pulls/$PR/merge")
           echo "merge HTTP $code"; cat /tmp/resp || true; echo
           [ "$code" = "200" ] || { echo "auto-merge failed (HTTP $code)"; exit 1; }
-          echo "PR #$PR merged."
+          echo "PR #$PR mergee."