diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 144d48ad..9b9c5362 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -36,9 +36,17 @@ jobs:
             set -eu
             restart_log=/tmp/indiekit-restart.log
 
+            # Ensure native sharp build prerequisites are present in the jail.
+            sudo bastille cmd node sh -lc 'env ASSUME_ALWAYS_YES=yes pkg update -f >/dev/null'
+            sudo bastille cmd node sh -lc 'env ASSUME_ALWAYS_YES=yes pkg install -y vips pkgconf python3 gmake'
+
             # Update code and dependencies as indiekit user inside the jail.
             sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && git pull origin main && npm ci && install -m 755 start.example.sh start.sh"'
 
+            # Build sharp against jail libraries and verify runtime load.
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && npm rebuild sharp --build-from-source"'
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && node -e \"require(\\\"sharp\\\"); console.log(\\\"sharp runtime OK\\\")\""'
+
             # Ensure env file exists and contains auth secrets required by start.sh.
             sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
             sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && if ! (grep -Eq \"^SECRET=.*\" .env && grep -Eq \"^PASSWORD_SECRET=.*\" .env); then echo \"Missing SECRET or PASSWORD_SECRET in /usr/local/indiekit/.env\"; exit 1; fi"'