diff --git a/.gitea/workflows/prepare-release.yml b/.gitea/workflows/prepare-release.yml
index 3f2b199..1af59d1 100644
--- a/.gitea/workflows/prepare-release.yml
+++ b/.gitea/workflows/prepare-release.yml
@@ -9,7 +9,7 @@ permissions:
 
 jobs:
   prepare:
-    if: ${{ !startsWith(github.event.head_commit.message, 'chore(release): prepare ') }}
+    if: "${{ !startsWith(github.event.head_commit.message, 'chore(release): prepare ') }}"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
diff --git a/CHANGELOG.md b/CHANGELOG.md
index beb3b1a..897d4cd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - Coverage summary generation is now resilient when badge outputs or `coverage-packages.md` are unavailable, preventing summary-step hard failures after earlier skips.
 - Push and PR validation no longer depend on external `vociferate/coverage-badge` action fetches, avoiding pipeline failures during external TLS/certificate outages.
 - Release automation no longer depends on external `vociferate` action fetches; local repository scripts now prepare tags from `CHANGELOG.md` and publish Gitea releases directly via the API, avoiding TLS/certificate outages on the external action host.
+- `prepare-release.yml` now quotes the job-level `if:` expression guarding release-preparation commits, fixing YAML parsing errors caused by the colon in the release commit message prefix.
 - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.