diff --git a/.gitea/workflows/build-android.yml b/.gitea/workflows/build-android.yml
index f27cf42..41163b4 100644
--- a/.gitea/workflows/build-android.yml
+++ b/.gitea/workflows/build-android.yml
@@ -54,6 +54,17 @@ jobs:
           echo "is_release=$IS_RELEASE" >> "$GITHUB_OUTPUT"
           echo "Build label: $LABEL (release=$IS_RELEASE)"
 
+      - name: Guard release tag against missing keystore
+        # Release tags MUST produce a release-signed APK, otherwise existing
+        # installs can't upgrade (signature mismatch). Fail loudly instead
+        # of silently falling back to the debug signing config.
+        # Runs before JDK/Python/SDK/NDK setup so a misconfigured release
+        # tag fails in seconds instead of after several minutes of setup.
+        if: ${{ steps.label.outputs.is_release == 'true' && env.ANDROID_KEYSTORE_BASE64 == '' }}
+        run: |
+          echo "::error::Release tag ${{ gitea.ref_name }} requires ANDROID_KEYSTORE_BASE64 (plus KEYSTORE_PASSWORD, KEY_ALIAS, KEY_PASSWORD) to be configured in Gitea → Settings → Secrets."
+          exit 1
+
       - name: Setup JDK ${{ env.JAVA_VERSION }}
         uses: actions/setup-java@v4
         with:
@@ -122,15 +133,6 @@ jobs:
           echo "path=$(pwd)/android/keystore/release.jks" >> "$GITHUB_OUTPUT"
           echo "present=true" >> "$GITHUB_OUTPUT"
 
-      - name: Guard release tag against missing keystore
-        # Release tags MUST produce a release-signed APK, otherwise existing
-        # installs can't upgrade (signature mismatch). Fail loudly instead
-        # of silently falling back to the debug signing config.
-        if: ${{ steps.label.outputs.is_release == 'true' && steps.keystore.outputs.present != 'true' }}
-        run: |
-          echo "::error::Release tag ${{ gitea.ref_name }} requires ANDROID_KEYSTORE_BASE64 (plus KEYSTORE_PASSWORD, KEY_ALIAS, KEY_PASSWORD) to be configured in Gitea → Settings → Secrets."
-          exit 1
-
       - name: Build APK
         working-directory: android
         env: