diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 7638aae5..b6a228b1 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -22,11 +22,14 @@ jobs:
         run: npm install -g solhint
       - name: Solhint
         run: solhint 'contracts/src/**/*.sol' || true   # report-only until ruleset tuned
-      - name: Build + EIP-170 size
-        run: |
-          forge build --sizes
-          # Fail if SuperPaymaster exceeds the 24576-byte limit
-          forge build --sizes | awk '/SuperPaymaster /{ if ($0 ~ /[0-9]/) print }'
+      - name: Build + EIP-170 size (deployable contracts only)
+        # `forge build --sizes` exits non-zero if ANY built contract exceeds the 24576-byte
+        # EIP-170 limit. `test` and `script` are forge's documented --skip aliases for
+        # `.t.sol` / `.s.sol` (see `forge build --help`), so this scopes the gate to the
+        # contracts we actually deploy and is not tripped by test-only helpers — e.g.
+        # SuperPaymasterV2Reinit, a thin SuperPaymaster subclass used purely for UUPS
+        # reinitializer testing that is never deployed.
+        run: forge build --sizes --skip test --skip script
 
   test:
     name: Stage 2 — forge test + fuzz