diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 40eba61..84aab50 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -105,7 +105,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 45
     permissions:
-      contents: read
+      contents: write
     env:
       CARGO_TERM_COLOR: always
     steps:
@@ -113,8 +113,22 @@ jobs:
         if: needs.classify_changes.outputs.run_full_ci != 'true'
         run: echo "Text-only change detected; skipping workspace test run."
 
-      - name: Checkout source
-        if: needs.classify_changes.outputs.run_full_ci == 'true'
+      # For same-repo PRs, check out the PR branch head directly so we can push
+      # a regenerated openapi.json back to it. Fork PRs and push events use the
+      # default checkout (which is read-only for our purposes).
+      - name: Checkout (same-repo PR head)
+        if: |
+          needs.classify_changes.outputs.run_full_ci == 'true' &&
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository
+        uses: actions/checkout@v5.0.1
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Checkout (default)
+        if: |
+          needs.classify_changes.outputs.run_full_ci == 'true' &&
+          !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
         uses: actions/checkout@v5.0.1
 
       - name: Install system dependencies
@@ -138,8 +152,29 @@ jobs:
 
       - name: Run workspace tests
         if: needs.classify_changes.outputs.run_full_ci == 'true'
+        # On same-repo PRs, regenerate openapi.json as part of the drift test
+        # so the following step can commit the update. Elsewhere the env var
+        # is empty, leaving the drift test in strict-check mode.
+        env:
+          OMNIGRAPH_UPDATE_OPENAPI: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) && '1' || '' }}
         run: cargo test --workspace --locked
 
+      - name: Commit regenerated openapi.json
+        if: |
+          needs.classify_changes.outputs.run_full_ci == 'true' &&
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository
+        run: |
+          if git diff --quiet -- openapi.json; then
+            echo "openapi.json is already in sync."
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add openapi.json
+          git commit -m "chore: regenerate openapi.json"
+          git push
+
   test_aws_feature:
     name: Test omnigraph-server --features aws
     needs: classify_changes
diff --git a/.github/workflows/openapi-sync.yml b/.github/workflows/openapi-sync.yml
deleted file mode 100644
index 52bf882..0000000
--- a/.github/workflows/openapi-sync.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-name: Sync OpenAPI
-
-on:
-  pull_request:
-    paths:
-      - "crates/omnigraph-server/src/**"
-      - "crates/omnigraph-server/Cargo.toml"
-      - "crates/omnigraph-server/tests/openapi.rs"
-
-concurrency:
-  group: openapi-sync-${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions:
-  contents: write
-
-jobs:
-  sync:
-    name: Regenerate openapi.json
-    # Auto-commit only on same-repo PRs; forks cannot be pushed to.
-    if: github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - name: Checkout PR branch
-        uses: actions/checkout@v5.0.1
-        with:
-          ref: ${{ github.head_ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install system dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y protobuf-compiler libprotobuf-dev
-
-      - name: Install Rust stable
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Cache Rust build data
-        uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: |
-            . -> target
-
-      - name: Regenerate openapi.json
-        run: |
-          OMNIGRAPH_UPDATE_OPENAPI=1 \
-            cargo test --locked -p omnigraph-server --test openapi openapi_spec_is_up_to_date
-
-      - name: Commit if changed
-        run: |
-          if git diff --quiet -- openapi.json; then
-            echo "openapi.json is already in sync."
-            exit 0
-          fi
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add openapi.json
-          git commit -m "chore: regenerate openapi.json"
-          git push
diff --git a/crates/omnigraph-server/tests/openapi.rs b/crates/omnigraph-server/tests/openapi.rs
index 3c136bf..b257796 100644
--- a/crates/omnigraph-server/tests/openapi.rs
+++ b/crates/omnigraph-server/tests/openapi.rs
@@ -971,7 +971,10 @@ fn openapi_spec_is_up_to_date() {
 
     let generated = serde_json::to_string_pretty(&openapi_doc()).unwrap() + "\n";
 
-    if env::var("OMNIGRAPH_UPDATE_OPENAPI").is_ok() {
+    if !env::var("OMNIGRAPH_UPDATE_OPENAPI")
+        .unwrap_or_default()
+        .is_empty()
+    {
         fs::write(&spec_path, &generated).unwrap();
         return;
     }