diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index ce134db3..59dc9269 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -24,26 +24,26 @@ jobs:
           restart_log=/tmp/indiekit-restart.log
 
           # Update code as indiekit user; point remote at internal Gitea (no auth needed — public read).
-          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && git remote set-url origin http://10.100.0.90:3000/giersig.eu/indiekit-server.git && git fetch origin && git reset --hard origin/main"'
+          doas bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && git remote set-url origin http://10.100.0.90:3000/giersig.eu/indiekit-server.git && git fetch origin && git reset --hard origin/main"'
 
           # Install dependencies (postinstall runs all patches automatically).
-          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && npm ci --legacy-peer-deps"'
+          doas bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && npm ci --legacy-peer-deps"'
 
           # Ensure env file and required secrets are present.
-          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
-          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && grep -Eq \"^SECRET=.+\" .env || { echo \"Missing SECRET in .env\"; exit 1; }"'
+          doas bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
+          doas bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && grep -Eq \"^SECRET=.+\" .env || { echo \"Missing SECRET in .env\"; exit 1; }"'
 
           # Preflight checks before touching the running service.
-          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-production-security.mjs"'
-          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
+          doas bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-production-security.mjs"'
+          doas bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
 
           # Restart asynchronously to avoid the SSH session hanging on open stdout.
-          sudo bastille cmd node sh -lc "nohup service indiekit restart >\${restart_log} 2>&1 </dev/null &"
+          doas bastille cmd node sh -lc "nohup service indiekit restart >\${restart_log} 2>&1 </dev/null &"
 
           # Wait for service to come up.
           attempts=0
           while [ \$attempts -lt 30 ]; do
-            if sudo bastille cmd node sh -lc 'service indiekit onestatus >/dev/null 2>&1'; then
+            if doas bastille cmd node sh -lc 'service indiekit onestatus >/dev/null 2>&1'; then
               echo "IndieKit is running."
               exit 0
             fi
@@ -52,7 +52,7 @@ jobs:
           done
 
           echo "IndieKit failed to start."
-          sudo bastille cmd node sh -lc "tail -n 120 \${restart_log} || true"
-          sudo bastille cmd node sh -lc 'service indiekit onestatus || true'
+          doas bastille cmd node sh -lc "tail -n 120 \${restart_log} || true"
+          doas bastille cmd node sh -lc 'service indiekit onestatus || true'
           exit 1
           SSHEOF