diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 04aca1b..0183fc2 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -7,20 +7,29 @@ on:
     branches: [main]
   workflow_dispatch:
 
+# Serialize deploys: never run two deploys against the CT at the same time
+# (concurrent `docker compose up --build` on the same project races and fails).
+concurrency:
+  group: deploy-xip-prod
+  cancel-in-progress: false
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - name: Set up SSH
+      - name: Deploy over SSH to xip-app
+        env:
+          # Secrets via env (not inlined in the script) so the multi-line key
+          # keeps its newlines and never breaks shell quoting.
+          DEPLOY_HOST: ${{ secrets.XIP_DEPLOY_HOST }}
+          DEPLOY_USER: ${{ secrets.XIP_DEPLOY_USER }}
+          DEPLOY_KEY: ${{ secrets.XIP_DEPLOY_KEY }}
         run: |
+          set -e
           command -v ssh >/dev/null 2>&1 || (apt-get update && apt-get install -y --no-install-recommends openssh-client)
           mkdir -p ~/.ssh
-          printf '%s\n' "${{ secrets.XIP_DEPLOY_KEY }}" > ~/.ssh/id_ed25519
+          printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan -H "${{ secrets.XIP_DEPLOY_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null || true
-
-      - name: Deploy over SSH
-        run: |
-          ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=no \
-            "${{ secrets.XIP_DEPLOY_USER }}@${{ secrets.XIP_DEPLOY_HOST }}" \
-            'bash /opt/xip/scripts/deploy.sh'
+          ssh -i ~/.ssh/id_ed25519 \
+            -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+            "$DEPLOY_USER@$DEPLOY_HOST" 'bash /opt/xip/scripts/deploy.sh'