diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 22933f48..eeff518f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,9 @@ jobs:
       - name: Validate GhosttyKit checksum verification
         run: ./tests/test_ci_ghosttykit_checksum_verification.sh
 
+      - name: Validate current GhosttyKit checksum pin
+        run: ./tests/test_ci_ghosttykit_checksum_present.sh
+
   web-typecheck:
     runs-on: ubuntu-latest
     defaults:
diff --git a/scripts/ghosttykit-checksums.txt b/scripts/ghosttykit-checksums.txt
index 582f8999..65ff7c1d 100644
--- a/scripts/ghosttykit-checksums.txt
+++ b/scripts/ghosttykit-checksums.txt
@@ -6,3 +6,4 @@ a50579bd5ddec81c6244b9b349d4bf781f667cec f7e9c0597468a263d6b75eaf815ccecd90c7933
 0cf5595817794466e3a60abe6bf97f8494dedcfe 1c6ae53ea549740bd45e59fe92714a292fb0d71a41ff915eb6b2e644468152de
 312c7b23a7c8dc0704431940d76ba5dc32a46afb ae73cb18a9d6efec42126a1d99e0e9d12022403d7dc301dfa21ed9f7c89c9e30
 404a3f175ba6baafabc46cac807194883e040980 bcbd2954f4746fe5bcb4bfca6efeddd3ea355fda2836371f4c7150271c58acbd
+bc9be90a21997a4e5f06bf15ae2ec0f937c2dc42 6b83b66768e8bba871a3753ae8ffbaabd03370b306c429cd86c9cdcc8db82589
diff --git a/tests/test_ci_ghosttykit_checksum_present.sh b/tests/test_ci_ghosttykit_checksum_present.sh
new file mode 100755
index 00000000..b1d1d577
--- /dev/null
+++ b/tests/test_ci_ghosttykit_checksum_present.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# Fails fast when the checked-in ghostty submodule SHA lacks a pinned
+# GhosttyKit archive checksum. This prevents new ghostty bumps from merging
+# without the checksum entry that nightly/release workflows require.
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+CHECKSUMS_FILE="$ROOT_DIR/scripts/ghosttykit-checksums.txt"
+
+if [ ! -f "$CHECKSUMS_FILE" ]; then
+  echo "FAIL: missing checksum file $CHECKSUMS_FILE"
+  exit 1
+fi
+
+GHOSTTY_SHA="$(
+  git -C "$ROOT_DIR" ls-tree HEAD ghostty \
+    | awk '$4 == "ghostty" { print $3; found = 1 } END { if (!found) exit 1 }'
+)"
+
+MATCH_COUNT="$(
+  awk -v sha="$GHOSTTY_SHA" '
+    $1 == sha {
+      count += 1
+    }
+    END {
+      print count + 0
+    }
+  ' "$CHECKSUMS_FILE"
+)"
+
+if [ "$MATCH_COUNT" -eq 0 ]; then
+  echo "FAIL: scripts/ghosttykit-checksums.txt is missing an entry for ghostty $GHOSTTY_SHA"
+  exit 1
+fi
+
+if [ "$MATCH_COUNT" -ne 1 ]; then
+  echo "FAIL: scripts/ghosttykit-checksums.txt has $MATCH_COUNT entries for ghostty $GHOSTTY_SHA"
+  exit 1
+fi
+
+echo "PASS: scripts/ghosttykit-checksums.txt pins ghostty $GHOSTTY_SHA"