diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 9948905..0958302 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -38,6 +38,21 @@ jobs:
           printf '%s' "$SSH_KEY_STELLAAMOR" > ~/.ssh/deploy_stellaamor
           chmod 600 ~/.ssh/deploy_stellaamor
 
+      - name: Validate private key & show fingerprint
+        run: |
+          set -euo pipefail
+          ls -l ~/.ssh
+          # Check permissions
+          test -f ~/.ssh/deploy_stellaamor && chmod 600 ~/.ssh/deploy_stellaamor
+          # Fail if the key is passphrase-protected (ssh-keygen -y would prompt/fail)
+          if ! PUB=$(ssh-keygen -y -f ~/.ssh/deploy_stellaamor 2>/dev/null); then
+            echo "❌ The private key appears to be passphrase-protected or invalid."
+            exit 1
+          fi
+          echo "$PUB" > ~/.ssh/deploy_stellaamor.pub
+          ssh-keygen -lf ~/.ssh/deploy_stellaamor.pub
+
+
 
       - name: SSH smoke test
         run: ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} true