diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3ec3874a5..e7d85fe3f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -662,7 +662,7 @@ jobs:
 
   build-docs:
     name: Build Docs
-    needs: [lint]
+    needs: [lint, build-binary]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -674,18 +674,50 @@ jobs:
           key: node-modules-${{ hashFiles('bun.lock', 'patches/**') }}
       - if: steps.cache.outputs.cache-hit != 'true'
         run: bun install --frozen-lockfile
+      - name: Get CLI version
+        id: version
+        run: echo "version=$(node -p 'require("./package.json").version')" >> "$GITHUB_OUTPUT"
+      - name: Download compiled CLI binary
+        uses: actions/download-artifact@v8
+        with:
+          name: sentry-linux-x64
+          path: dist-bin
+      - name: Make binary executable
+        run: chmod +x dist-bin/sentry-linux-x64
       - name: Generate docs content
         run: bun run generate:schema && bun run generate:docs
       - name: Build Docs
         working-directory: docs
+        env:
+          PUBLIC_SENTRY_ENVIRONMENT: production
+          SENTRY_RELEASE: ${{ steps.version.outputs.version }}
+          PUBLIC_SENTRY_RELEASE: ${{ steps.version.outputs.version }}
         run: |
           bun install --frozen-lockfile
           bun run build
+      # Inject debug IDs and upload sourcemaps. The inject step adds
+      # //# debugId= and the _sentryDebugIds IIFE to deployed JS files.
+      # Both steps require SENTRY_AUTH_TOKEN (the CLI checks auth on startup).
+      - name: Inject debug IDs and upload sourcemaps
+        if: github.event_name == 'push' && env.SENTRY_AUTH_TOKEN != ''
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: sentry
+          SENTRY_PROJECT: cli-website
+        run: |
+          ./dist-bin/sentry-linux-x64 sourcemap inject docs/dist/
+          ./dist-bin/sentry-linux-x64 sourcemap upload docs/dist/ \
+            --release "${{ steps.version.outputs.version }}" \
+            --url-prefix "~/"
+      # Remove .map files — they were uploaded to Sentry but shouldn't
+      # be deployed to production.
+      - name: Remove sourcemaps from output
+        run: find docs/dist -name '*.map' -delete
       - name: Package Docs
         run: |
           cp .nojekyll docs/dist/
           cd docs/dist && zip -r ../../gh-pages.zip .
-      - name: Upload artifact
+      - name: Upload docs artifact
         uses: actions/upload-artifact@v7
         with:
           name: gh-pages
diff --git a/.github/workflows/docs-preview.yml b/.github/workflows/docs-preview.yml
index 6cab1ce42..e7e0d5f26 100644
--- a/.github/workflows/docs-preview.yml
+++ b/.github/workflows/docs-preview.yml
@@ -31,6 +31,10 @@ jobs:
       - if: steps.cache.outputs.cache-hit != 'true'
         run: bun install --frozen-lockfile
 
+      - name: Get CLI version
+        id: version
+        run: echo "version=$(node -p 'require("./package.json").version')" >> "$GITHUB_OUTPUT"
+
       - name: Generate docs content
         run: bun run generate:schema && bun run generate:docs
 
@@ -39,10 +43,29 @@ jobs:
         env:
           # Override base path for PR preview (no /cli prefix since preview domain is different)
           DOCS_BASE_PATH: /pr-preview/pr-${{ github.event.pull_request.number }}
+          PUBLIC_SENTRY_ENVIRONMENT: staging
+          SENTRY_RELEASE: ${{ steps.version.outputs.version }}
+          PUBLIC_SENTRY_RELEASE: ${{ steps.version.outputs.version }}
         run: |
           bun install --frozen-lockfile
           bun run build
 
+      - name: Inject debug IDs and upload sourcemaps
+        if: env.SENTRY_AUTH_TOKEN != ''
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: sentry
+          SENTRY_PROJECT: cli-website
+        run: |
+          bun run --bun src/bin.ts sourcemap inject docs/dist/
+          bun run --bun src/bin.ts sourcemap upload docs/dist/ \
+            --release "${{ steps.version.outputs.version }}" \
+            --url-prefix "~/"
+
+      # Remove .map files — uploaded to Sentry but shouldn't be deployed.
+      - name: Remove sourcemaps from output
+        run: find docs/dist -name '*.map' -delete
+
       - name: Ensure .nojekyll at gh-pages root
         run: |
           git config user.name "github-actions[bot]"
diff --git a/.github/workflows/sentry-release.yml b/.github/workflows/sentry-release.yml
index 7697decf0..cd5d0b4a2 100644
--- a/.github/workflows/sentry-release.yml
+++ b/.github/workflows/sentry-release.yml
@@ -47,7 +47,7 @@ jobs:
       # The org/ prefix is how org is specified — it is NOT part of the version.
       # The version portion must match Sentry.init({ release }) exactly.
       - name: Create release
-        run: sentry release create "sentry/${VERSION}" --project cli
+        run: sentry release create "sentry/${VERSION}" --project cli,cli-website
 
       # --auto matches the local origin remote against Sentry repo integrations.
       # continue-on-error: integration may not be configured for all orgs.
diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs
index 008e16f4b..523b9b447 100644
--- a/docs/astro.config.mjs
+++ b/docs/astro.config.mjs
@@ -11,14 +11,27 @@ export default defineConfig({
   markdown: {
     smartypants: false,
   },
+  // Generate sourcemaps for Sentry. "hidden" produces .map files without
+  // adding //# sourceMappingURL comments to the output (the debug IDs
+  // injected post-build by `sentry sourcemap inject` are used instead).
+  vite: {
+    build: {
+      sourcemap: "hidden",
+    },
+  },
   integrations: [
     sentry({
       project: "cli-website",
       org: "sentry",
-      authToken: process.env.SENTRY_AUTH_TOKEN,
-      sourceMapsUploadOptions: {
-        enabled: !!process.env.SENTRY_AUTH_TOKEN,
-      },
+      environment: process.env.PUBLIC_SENTRY_ENVIRONMENT ?? "development",
+      // Note: @sentry/astro v10 does not support the `release` build-time
+      // option (todo(v11) in the source). Release is set in Sentry.init()
+      // via PUBLIC_SENTRY_RELEASE / SENTRY_RELEASE env vars instead.
+      //
+      // Disable the plugin's sourcemap upload — it pulls in @sentry/cli
+      // (20+ MB binary download). We use our own CLI post-build instead
+      // (see CI workflow: `sentry sourcemap inject` + `sentry sourcemap upload`).
+      sourceMapsUploadOptions: { enabled: false },
     }),
     starlight({
       title: "Sentry CLI",
diff --git a/docs/sentry.client.config.js b/docs/sentry.client.config.js
index d522858e8..48b259b4b 100644
--- a/docs/sentry.client.config.js
+++ b/docs/sentry.client.config.js
@@ -2,6 +2,8 @@ import * as Sentry from "@sentry/astro";
 
 Sentry.init({
   dsn: "https://2aca5fe97c71868bc3aa7fb48620dc39@o1.ingest.us.sentry.io/4510798755856384",
+  environment: import.meta.env.PUBLIC_SENTRY_ENVIRONMENT ?? "development",
+  release: import.meta.env.PUBLIC_SENTRY_RELEASE || undefined,
   sendDefaultPii: true,
   integrations: [
     Sentry.browserTracingIntegration(),
diff --git a/docs/sentry.server.config.js b/docs/sentry.server.config.js
index c0bc6c4b4..1fc3dca01 100644
--- a/docs/sentry.server.config.js
+++ b/docs/sentry.server.config.js
@@ -2,6 +2,8 @@ import * as Sentry from "@sentry/astro";
 
 Sentry.init({
   dsn: "https://2aca5fe97c71868bc3aa7fb48620dc39@o1.ingest.us.sentry.io/4510798755856384",
+  environment: process.env.PUBLIC_SENTRY_ENVIRONMENT ?? "development",
+  release: process.env.SENTRY_RELEASE || undefined,
   sendDefaultPii: true,
   enableLogs: true,
   tracesSampleRate: 1.0,