diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index fdd3679..006ad57 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -85,8 +85,27 @@ jobs:
         run: |
           set -euo pipefail
           rm -rf .venv .ci-python-env
+          CLEAN_PATH=""
+          IFS=: read -r -a PATH_PARTS <<< "${PATH}"
+          for path_part in "${PATH_PARTS[@]}"; do
+            case "${path_part}" in
+              .venv/bin|*/.venv/bin)
+                continue
+                ;;
+            esac
+            CLEAN_PATH="${CLEAN_PATH:+${CLEAN_PATH}:}${path_part}"
+          done
+          export PATH="${CLEAN_PATH}"
+          hash -r
           PROJECT_PYTHON_VERSION="$(cat .python-version 2>/dev/null || printf '%s' "${PYTHON_VERSION}")"
           PYTHON_BIN="$(./scripts/ensure-ci-python.sh "${PROJECT_PYTHON_VERSION}")"
+          case "${PYTHON_BIN}" in
+            .venv/*|*/.venv/*)
+              echo "Refusing to use project virtualenv as base Python: ${PYTHON_BIN}" >&2
+              exit 1
+              ;;
+          esac
+          "${PYTHON_BIN}" --version
 
           printf 'PYTHON_BIN=%s\n' "${PYTHON_BIN}" > .ci-python-env
 
@@ -94,6 +113,12 @@ jobs:
         run: |
           set -euo pipefail
           . ./.ci-python-env
+          case "${PYTHON_BIN}" in
+            .venv/*|*/.venv/*)
+              echo "Refusing to create venv from project virtualenv: ${PYTHON_BIN}" >&2
+              exit 1
+              ;;
+          esac
           "${PYTHON_BIN}" -m venv .venv
           . .venv/bin/activate
           python -m pip install "uv==${UV_VERSION}"
diff --git a/scripts/ensure-ci-python.sh b/scripts/ensure-ci-python.sh
index 09f4b2c..b7f6ae1 100755
--- a/scripts/ensure-ci-python.sh
+++ b/scripts/ensure-ci-python.sh
@@ -34,7 +34,7 @@ python_has_venv() {
 print_if_usable() {
   local candidate="$1"
   case "${candidate}" in
-    "${PWD}/.venv/"*)
+    .venv/*|*/.venv/*)
       return 1
       ;;
   esac