diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index f1ecf98..953dc0d 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -17,6 +17,10 @@ jobs:
       KEEP_N: "5"
       HEALTH_URL: https://stellaamor.com/
       SERVICE_RELOAD: "systemctl reload apache2 || true"
+      SSH_OPTS: "-o BatchMode=yes -o IdentitiesOnly=yes -o NumberOfPasswordPrompts=0 \
+             -o ServerAliveInterval=15 -o ServerAliveCountMax=3 \
+             -o ConnectTimeout=20 -o StrictHostKeyChecking=no"
+
 
     steps:
       - name: Checkout (pure git)
@@ -26,7 +30,17 @@ jobs:
           git fetch --depth=1 origin "$GITHUB_SHA"
           git checkout -q "$GITHUB_SHA"
 
-      # (no Write SSH key step — removed)
+      - name: Write SSH key
+        run: |
+          install -m 700 -d ~/.ssh
+          umask 177
+          cat > ~/.ssh/deploy_stellaamor <<'KEY'
+          ${{ secrets.SSH_KEY_STELLAAMOR }}
+          KEY
+              chmod 600 ~/.ssh/deploy_stellaamor
+          
+      - name: SSH smoke test
+        run: ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} true
 
       - name: Upload & activate atomically
         run: |
@@ -49,7 +63,7 @@ jobs:
             "set -e; sudo install -d -o ${SSH_USER} -g ${SSH_USER} -m 755 ${RELEASES} ${SHARED} ${SHARED}/${UPLOADS}"
 
           # upload (verbose)
-          scp $SSH_OPTS -vvv -i "$SSH_KEY_PATH" "release/${REL}.tar.gz" ${SSH_USER}@${SSH_HOST}:/tmp/${REL}.tar.gz
+          scp -O $SSH_OPTS -vvv -i "$SSH_KEY_PATH" "release/${REL}.tar.gz" ${SSH_USER}@${SSH_HOST}:/tmp/${REL}.tar.gz
 
           # unpack/switch/reload/health/prune
           ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} '