diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index f12d14d7a..4e6213b79 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -57,14 +57,16 @@ jobs:
                     --health-timeout 3s
                     --health-retries 10
             redis:
-                # Match docker-compose.yml (REM-023: password required even
-                # in dev). Default redis:7-alpine entrypoint reads
-                # REDIS_ARGS, so requirepass works without a `command:`.
+                # No-auth redis for CI: act_runner services don't support a
+                # `command:` field, and the redis:7-alpine entrypoint does
+                # NOT read REDIS_ARGS (verified empirically) — so passing
+                # --requirepass via env doesn't work. The dev/prod password
+                # policy (REM-023) is enforced via docker-compose.yml only;
+                # the CI service network is ephemeral and isolated, so
+                # dropping auth here is acceptable.
                 image: redis:7-alpine
-                env:
-                    REDIS_ARGS: "--requirepass devpassword"
                 options: >-
-                    --health-cmd "redis-cli -a devpassword ping"
+                    --health-cmd "redis-cli ping"
                     --health-interval 5s
                     --health-timeout 3s
                     --health-retries 10
@@ -82,7 +84,7 @@ jobs:
         # Service hostnames + standard ports — no host-port mapping needed.
         env:
             DATABASE_URL: postgresql://veza:${{ secrets.E2E_DB_PASSWORD || 'devpassword' }}@postgres:5432/veza?sslmode=disable
-            REDIS_URL: redis://:devpassword@redis:6379
+            REDIS_URL: redis://redis:6379
             RABBITMQ_URL: ${{ secrets.E2E_RABBITMQ_URL || 'amqp://veza:devpassword@rabbitmq:5672/' }}
 
         steps:
@@ -140,9 +142,36 @@ jobs:
                   cd veza-backend-api
                   go build -o veza-api ./cmd/api/main.go
                   ./veza-api > /tmp/backend.log 2>&1 &
-                  sleep 10
-                  curl -sf http://localhost:18080/api/v1/health > /tmp/health.json || (echo "Backend health check failed"; tail -50 /tmp/backend.log; exit 1)
-                  jq -e '.status == "ok"' /tmp/health.json || (echo "Health response invalid"; cat /tmp/health.json; exit 1)
+                  BACKEND_PID=$!
+
+                  # Poll for up to 30s — beats a fixed sleep on a cold start.
+                  for i in $(seq 1 30); do
+                    if curl -sf -m 2 http://localhost:18080/api/v1/health > /tmp/health.json 2>/dev/null; then
+                      break
+                    fi
+                    if ! kill -0 "$BACKEND_PID" 2>/dev/null; then
+                      echo "::error::backend process died before becoming reachable"
+                      echo "--- /tmp/backend.log (last 200 lines) ---"
+                      tail -200 /tmp/backend.log
+                      exit 1
+                    fi
+                    sleep 1
+                  done
+
+                  # Always print the response body so debugging doesn't
+                  # require re-running with extra logging. Artifact upload
+                  # is broken under Forgejo (GHES not supported), so the
+                  # log step output is our only diagnostic channel.
+                  echo "--- /api/v1/health response ---"
+                  cat /tmp/health.json
+                  echo
+
+                  if ! jq -e '.status == "ok"' /tmp/health.json >/dev/null; then
+                    echo "::error::backend health is not ok"
+                    echo "--- /tmp/backend.log (last 200 lines) ---"
+                    tail -200 /tmp/backend.log
+                    exit 1
+                  fi
                   echo "Backend healthy"
 
             - name: Install Playwright browsers