diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml
index 5c1e507a..8d4a8bd4 100644
--- a/.github/workflows/merge.yml
+++ b/.github/workflows/merge.yml
@@ -33,6 +33,7 @@ jobs:
             -p ORACLE_DB_PASSWORD='${{ secrets.ORACLE_DB_PASSWORD }}'
             -p POSTGRES_DB_PASSWORD='${{ secrets.POSTGRES_DB_PASSWORD }}'
             -p FORESTCLIENTAPI_KEY='${{ secrets.FORESTCLIENTAPI_KEY }}'
+            -p VITE_USER_POOLS_WEB_CLIENT_ID=${{ vars.VITE_USER_POOLS_WEB_CLIENT_ID }}
             -p ZONE=test
 
   deploys-test:
@@ -63,7 +64,6 @@ jobs:
             file: frontend/openshift.deploy.yml
             overwrite: true
             parameters:
-              -p VITE_USER_POOLS_WEB_CLIENT_ID=${{ vars.VITE_USER_POOLS_WEB_CLIENT_ID }}
               -p FAM_ROUTE=test
           - name: fluentbit
             file: common/openshift.fluentbit.yml
@@ -105,6 +105,7 @@ jobs:
             -p ORACLE_DB_PASSWORD='${{ secrets.ORACLE_DB_PASSWORD }}'
             -p POSTGRES_DB_PASSWORD='${{ secrets.POSTGRES_DB_PASSWORD }}'
             -p FORESTCLIENTAPI_KEY='${{ secrets.FORESTCLIENTAPI_KEY }}'
+            -p VITE_USER_POOLS_WEB_CLIENT_ID=${{ vars.VITE_USER_POOLS_WEB_CLIENT_ID }}
             -p ZONE=prod
 
   image-promotions:
@@ -150,7 +151,6 @@ jobs:
             file: frontend/openshift.deploy.yml
             overwrite: true
             parameters:
-              -p VITE_USER_POOLS_WEB_CLIENT_ID=${{ vars.VITE_USER_POOLS_WEB_CLIENT_ID }}
               -p FAM_ROUTE=prod
           - name: fluentbit
             file: common/openshift.fluentbit.yml
diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
index c54c46d7..6a009bf0 100644
--- a/.github/workflows/pr-open.yml
+++ b/.github/workflows/pr-open.yml
@@ -64,12 +64,11 @@ jobs:
             -p ORACLE_DB_PASSWORD='${{ secrets.ORACLE_DB_PASSWORD }}'
             -p POSTGRES_DB_PASSWORD='${{ secrets.POSTGRES_DB_PASSWORD }}'
             -p FORESTCLIENTAPI_KEY='${{ secrets.FORESTCLIENTAPI_KEY }}'
+            -p VITE_USER_POOLS_WEB_CLIENT_ID=${{ vars.VITE_USER_POOLS_WEB_CLIENT_ID }}
           triggers: ('common/' 'backend/' 'frontend/')
 
   builds:
     name: Builds
-    needs: [init]
-    if: "!github.event.pull_request.head.repo.fork"
     runs-on: ubuntu-24.04
     permissions:
       packages: write
@@ -95,8 +94,7 @@ jobs:
 
   deploys:
     name: Deploys
-    if: "!github.event.pull_request.head.repo.fork"
-    needs: [builds]
+    needs: [builds, init]
     runs-on: ubuntu-24.04
     strategy:
       matrix:
@@ -120,7 +118,6 @@ jobs:
           - name: frontend
             file: frontend/openshift.deploy.yml
             parameters:
-              -p VITE_USER_POOLS_WEB_CLIENT_ID=${{ vars.VITE_USER_POOLS_WEB_CLIENT_ID }}
               -p MIN_REPLICAS=1
               -p MAX_REPLICAS=1
               -p FAM_ROUTE="$(( ${{ github.event.number }} % 50 ))"
diff --git a/common/openshift.init.yml b/common/openshift.init.yml
index 48aaccad..f6f83b4b 100644
--- a/common/openshift.init.yml
+++ b/common/openshift.init.yml
@@ -37,6 +37,9 @@ parameters:
   - name: FORESTCLIENTAPI_KEY
     description:
     required: true
+  - name: VITE_USER_POOLS_WEB_CLIENT_ID
+    description: Cognito user pools web client ID
+    required: true
 objects:
   - apiVersion: v1
     kind: Secret
@@ -60,7 +63,6 @@ objects:
       oracle-password: ${ORACLE_DB_PASSWORD}
       oracle-secret: ${ORACLEDB_SECRET}
       forest-client-api-key: ${FORESTCLIENTAPI_KEY}
-
   - apiVersion: v1
     kind: Secret
     metadata:
@@ -85,6 +87,14 @@ objects:
                   network.openshift.io/policy-group: ingress
       policyTypes:
         - Ingress
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: ${NAME}-${ZONE}-frontend
+      labels:
+        app: ${NAME}-${ZONE}
+    stringData:
+      vite-user-pools-web-client-id: ${VITE_USER_POOLS_WEB_CLIENT_ID}
   - apiVersion: networking.k8s.io/v1
     kind: NetworkPolicy
     metadata:
diff --git a/frontend/openshift.deploy.yml b/frontend/openshift.deploy.yml
index 92e16b81..f20f6f6c 100644
--- a/frontend/openshift.deploy.yml
+++ b/frontend/openshift.deploy.yml
@@ -44,7 +44,6 @@ parameters:
   - name: LOG_LEVEL
     description: Caddy logging level DEBUG, INFO, WARN, ERROR, PANIC, and FATAL (https://github.com/caddyserver/caddy/blob/master/logging.go)
     value: "info"
-  - name: VITE_USER_POOLS_WEB_CLIENT_ID
   - name: VITE_ZONE
     value: DEV
   - name: RANDOM_EXPRESSION
@@ -83,12 +82,15 @@ objects:
                   value: "${LOG_LEVEL}"
                 - name: VITE_BACKEND_URL
                   value: "https://${NAME}-${ZONE}-backend.${DOMAIN}"
-                - name: VITE_USER_POOLS_WEB_CLIENT_ID
-                  value: "${VITE_USER_POOLS_WEB_CLIENT_ID}"
                 - name: VITE_ZONE
                   value: "${ZONE}"
                 - name: RANDOM_EXPRESSION
                   value: ${RANDOM_EXPRESSION}
+                - name: VITE_USER_POOLS_WEB_CLIENT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: ${NAME}-${ZONE}-frontend
+                      key: vite-user-pools-web-client-id
               ports:
                 - containerPort: 3000
                   protocol: TCP