diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 2ebb52b..51b4a69 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -63,18 +63,19 @@ jobs:
 
       - name: Write SSH key
         run: |
-          set -eu
-          install -d -m 700 ~/.ssh
-          printf '%s\n' "${SSH_KEY}" > ~/.ssh/id_ed25519
-          sed -i 's/\r$//' ~/.ssh/id_ed25519
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          umask 077
+          printf "%s" "${SSH_KEY}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
           if [ -n "${SSH_KNOWN_HOSTS}" ]; then
-            printf '%s\n' "${SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts
+            printf "%s\n" "${SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts
             chmod 644 ~/.ssh/known_hosts
           else
-            printf 'StrictHostKeyChecking no\n' >> ~/.ssh/config
+            echo "StrictHostKeyChecking no" >> ~/.ssh/config
           fi
 
+
       - name: Upload & activate atomically
         run: |
           set -euo pipefail