diff --git a/.forgejo/workflows/generate-banlist-graph.yml b/.forgejo/workflows/generate-banlist-graph.yml
index 1670e6f..9644636 100644
--- a/.forgejo/workflows/generate-banlist-graph.yml
+++ b/.forgejo/workflows/generate-banlist-graph.yml
@@ -79,15 +79,15 @@ jobs:
             # Fetch updates and tags, prune deleted refs
             git fetch --all --tags --prune
 
-            # Decide target
-            if [ -n "${GITHUB_SHA:-}" ]; then
-              TARGET="$GITHUB_SHA"
-              git checkout -q "$TARGET" || true
-              git reset --hard "$TARGET"
-            elif [ -n "${GITHUB_REF_NAME:-}" ]; then
+            # Decide target (prefer branch name to avoid detached HEAD)
+            if [ -n "${GITHUB_REF_NAME:-}" ]; then
               BRANCH="$GITHUB_REF_NAME"
               git checkout -q -B "$BRANCH" "origin/$BRANCH" || git checkout -q "$BRANCH" || true
               git reset --hard "origin/$BRANCH" || true
+            elif [ -n "${GITHUB_SHA:-}" ]; then
+              TARGET="$GITHUB_SHA"
+              git checkout -q "$TARGET" || true
+              git reset --hard "$TARGET"
             else
               # Fallback to main
               git checkout -q -B main origin/main || git checkout -q main || true
@@ -103,13 +103,13 @@ jobs:
             fi
             git config --global --add safe.directory "$(pwd)"
 
-            # Checkout the requested ref if provided
-            if [ -n "${GITHUB_SHA:-}" ]; then
-              git fetch origin "$GITHUB_SHA" || true
-              git checkout -q "$GITHUB_SHA" || true
-            elif [ -n "${GITHUB_REF_NAME:-}" ]; then
+            # Checkout the requested ref if provided (prefer branch)
+            if [ -n "${GITHUB_REF_NAME:-}" ]; then
               git fetch origin "$GITHUB_REF_NAME" || true
               git checkout -q "$GITHUB_REF_NAME" || true
+            elif [ -n "${GITHUB_SHA:-}" ]; then
+              git fetch origin "$GITHUB_SHA" || true
+              git checkout -q "$GITHUB_SHA" || true
             fi
           fi
 
@@ -132,15 +132,26 @@ jobs:
           if [ -n "$(git status --porcelain -- metrics assets)" ]; then
             git add -A metrics assets
             git commit -m "chore: update banlist history graph [skip ci]"
+            # Determine target branch (handles detached HEAD) and push
+            TARGET_BRANCH="${GITHUB_REF_NAME:-}"
+            if [ -z "$TARGET_BRANCH" ] || [ "$TARGET_BRANCH" = "HEAD" ]; then
+              CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD || echo HEAD)
+              if [ "$CURRENT_BRANCH" != "HEAD" ]; then
+                TARGET_BRANCH="$CURRENT_BRANCH"
+              else
+                TARGET_BRANCH="main"
+              fi
+            fi
+
             # Push to the same remote we cloned from; token is in the origin URL if present
-            git push || {
+            git push origin HEAD:"refs/heads/$TARGET_BRANCH" || {
               echo "First push failed; trying to embed token in remote..." >&2
               if [ -n "${GITHUB_TOKEN:-}" ]; then
                 ACTOR="${GITHUB_ACTOR:-oauth2}"
                 ORIGIN_URL=$(git remote get-url origin)
                 AUTH_URL=$(printf '%s' "$ORIGIN_URL" | sed -E "s#^https://#https://${ACTOR}:${GITHUB_TOKEN}@#")
                 git remote set-url origin "$AUTH_URL"
-                git push
+                git push origin HEAD:"refs/heads/$TARGET_BRANCH"
               else
                 false
               fi