diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index cbf8edc..d502574 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -34,6 +34,7 @@ jobs:
         run: |
           cp .env.example .env
           php artisan key:generate --force
+
       - name: Install NPM dependencies
         run: npm ci || npm install --no-audit --no-fund
 
@@ -78,6 +79,7 @@ jobs:
         uses: actions/upload-artifact@v3.2.2-node20
         with:
           name: laravel-build
+          include-hidden-files: true
           path: |
             app
             bootstrap
@@ -106,40 +108,24 @@ jobs:
           name: laravel-build
           path: release
 
-      - name: Install SSH deployment tools
-        run: sudo apt-get update && sudo apt-get install -y openssh-client sshpass rsync
+      - name: Install sshpass
+        run: sudo apt-get update && sudo apt-get install -y sshpass
 
-      - name: Configure SSH
-        env:
-          DEPLOY_KNOWN_HOSTS: ${{ secrets.DEPLOY_KNOWN_HOSTS }}
-        run: |
-          mkdir -p ~/.ssh
-          chmod 700 ~/.ssh
-          if [ -n "$DEPLOY_KNOWN_HOSTS" ]; then
-            echo "$DEPLOY_KNOWN_HOSTS" >> ~/.ssh/known_hosts
-            chmod 600 ~/.ssh/known_hosts
-          fi
-      - name: Test SSH password login
+      - name: Install rsync
+        run: sudo apt-get install -y rsync
+
+      - name: Add SSH host to known_hosts
         env:
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
           DEPLOY_PORT: ${{ secrets.DEPLOY_PORT }}
-          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
-          DEPLOY_PASSWORD: ${{ secrets.DEPLOY_PASSWORD }}
-          SSHPASS: ${{ secrets.DEPLOY_PASSWORD }}
+          DEPLOY_KNOWN_HOSTS: ${{ secrets.DEPLOY_KNOWN_HOSTS }}
         run: |
-          if [ -z "$DEPLOY_PASSWORD" ]; then
-            echo "DEPLOY_PASSWORD secret is empty."
-            exit 1
+          if [ -n "$DEPLOY_KNOWN_HOSTS" ]; then
+            echo "$DEPLOY_KNOWN_HOSTS" >> ~/.ssh/known_hosts
+          else
+            ssh-keyscan -p "${DEPLOY_PORT:-22}" "$DEPLOY_HOST" >> ~/.ssh/known_hosts
           fi
-          sshpass -e ssh \
-            -p "${DEPLOY_PORT:-22}" \
-            -o StrictHostKeyChecking=no \
-            -o UserKnownHostsFile=/dev/null \
-            -o PreferredAuthentications=password \
-            -o PubkeyAuthentication=no \
-            -o NumberOfPasswordPrompts=1 \
-            "${DEPLOY_USER}@${DEPLOY_HOST}" \
-            "echo SSH connection ok"
+
       - name: Deploy files with rsync over SSH
         env:
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
@@ -153,9 +139,10 @@ jobs:
             echo "DEPLOY_PASSWORD secret is empty."
             exit 1
           fi
+
           mkdir -p ~/.ssh
-          sshpass -e rsync -az --delete \
-            -e "ssh -p ${DEPLOY_PORT:-22} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=password -o PubkeyAuthentication=no -o NumberOfPasswordPrompts=1" \
+          rsync -az --delete \
+            -e "sshpass -e ssh -p ${DEPLOY_PORT:-22}" \
             --exclude='.env' \
             --exclude='storage/' \
             --exclude='storage/logs/*' \
@@ -163,6 +150,9 @@ jobs:
             --exclude='storage/framework/sessions/*' \
             --exclude='storage/framework/views/*' \
             release/ "${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}"
+
+          sshpass -e ssh -p "${DEPLOY_PORT:-22}" "${DEPLOY_USER}@${DEPLOY_HOST}" "test -f \"${DEPLOY_PATH}/public/.htaccess\" || { echo 'public/.htaccess missing after rsync'; exit 1; }"
+
       - name: Create .env on server from secret
         env:
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
@@ -177,19 +167,14 @@ jobs:
             echo "DEPLOY_ENV_FILE secret is empty."
             exit 1
           fi
+
           if [ -z "$DEPLOY_PASSWORD" ]; then
             echo "DEPLOY_PASSWORD secret is empty."
             exit 1
           fi
-          printf '%s' "$DEPLOY_ENV_FILE" | sshpass -e ssh \
-            -p "${DEPLOY_PORT:-22}" \
-            -o StrictHostKeyChecking=no \
-            -o UserKnownHostsFile=/dev/null \
-            -o PreferredAuthentications=password \
-            -o PubkeyAuthentication=no \
-            -o NumberOfPasswordPrompts=1 \
-            "${DEPLOY_USER}@${DEPLOY_HOST}" \
-            "mkdir -p \"${DEPLOY_PATH}\" && cat > \"${DEPLOY_PATH}/.env\" && chmod 600 \"${DEPLOY_PATH}/.env\""
+
+          printf '%s' "$DEPLOY_ENV_FILE" | sshpass -e ssh -p "${DEPLOY_PORT:-22}" "${DEPLOY_USER}@${DEPLOY_HOST}" "mkdir -p \"${DEPLOY_PATH}\" && cat > \"${DEPLOY_PATH}/.env\" && chmod 600 \"${DEPLOY_PATH}/.env\""
+
       - name: Run post-deploy Laravel commands
         env:
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
@@ -203,15 +188,9 @@ jobs:
             echo "DEPLOY_PASSWORD secret is empty."
             exit 1
           fi
-          sshpass -e ssh \
-            -p "${DEPLOY_PORT:-22}" \
-            -o StrictHostKeyChecking=no \
-            -o UserKnownHostsFile=/dev/null \
-            -o PreferredAuthentications=password \
-            -o PubkeyAuthentication=no \
-            -o NumberOfPasswordPrompts=1 \
-            "${DEPLOY_USER}@${DEPLOY_HOST}" \
-            "cd ${DEPLOY_PATH} && mkdir -p storage/framework/cache/data storage/framework/sessions storage/framework/views storage/logs bootstrap/cache && chmod -R ug+rw storage bootstrap/cache && php artisan optimize:clear && php artisan config:cache && php artisan route:cache && php artisan view:cache"
+
+          sshpass -e ssh -p "${DEPLOY_PORT:-22}" "${DEPLOY_USER}@${DEPLOY_HOST}" "cd ${DEPLOY_PATH} && mkdir -p storage/framework/cache/data storage/framework/sessions storage/framework/views storage/logs bootstrap/cache && chmod -R ug+rw storage bootstrap/cache && php artisan optimize:clear && php artisan config:cache && php artisan route:cache && php artisan view:cache"
+
 # Required repository secrets:
 # - DEPLOY_HOST: Server hostname or IP.
 # - DEPLOY_PORT: SSH port (optional, defaults to 22).