diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a8948040b..93b18cb78 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,9 @@ on:
 jobs:
   preview:
     runs-on: "runs-on=${{ github.run_id }}/family=g4dn.2xlarge/image=quantecon_ubuntu2404/disk=large"
+    env:
+      NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+      NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
     steps:
       - uses: actions/checkout@v5
         with:
@@ -168,6 +171,11 @@ jobs:
           fi
       - name: Preview Deploy to Netlify
         id: netlify-deploy
+        if: >
+          github.actor != 'dependabot[bot]' &&
+          (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
+          env.NETLIFY_AUTH_TOKEN != '' &&
+          env.NETLIFY_SITE_ID != ''
         shell: bash -l {0}
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ]; then
@@ -238,11 +246,16 @@ jobs:
               echo "🎯 Preview page: ${deploy_url}/${{ github.event.inputs.preview_page }}"
             fi
           fi
-        env:
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+      - name: Skip Netlify Deploy (no secrets or untrusted actor)
+        if: >
+          !(github.actor != 'dependabot[bot]' &&
+          (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
+          env.NETLIFY_AUTH_TOKEN != '' &&
+          env.NETLIFY_SITE_ID != '')
+        run: |
+          echo "Skipping Netlify preview deploy: secrets unavailable or actor not trusted (actor=${{ github.actor }})"
       - name: Post PR Comment with Preview Links
-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request' && steps.netlify-deploy.outputs.deploy_url != ''
         uses: actions/github-script@v7
         with:
           script: |