diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index fbbc7c5..64fb843 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -121,7 +121,8 @@ jobs:
       env:
         KUBECTLSECRET: ${{ secrets.KUBECTLSECRET }}
       run: |
-        mkdir -p ~/.kube
+        # Always use an explicit kubeconfig path (do not rely on HOME expansion)
+        export KUBECONFIG="${GITHUB_WORKSPACE}/kubeconfig"
 
         echo "🔍 Debugging KUBECTLSECRET..."
         echo "Secret length: ${#KUBECTLSECRET}"
@@ -133,64 +134,48 @@ jobs:
         fi
 
         # Try to decode as base64 first, if that fails, use as plain text
-        if echo "$KUBECTLSECRET" | base64 -d > ~/.kube/config 2>/dev/null; then
+        if echo "$KUBECTLSECRET" | base64 -d > "$KUBECONFIG" 2>/dev/null; then
           echo "✅ KUBECTLSECRET decoded as base64"
         else
           echo "⚠️  KUBECTLSECRET is not base64, using as plain text"
-          echo "$KUBECTLSECRET" > ~/.kube/config
+          echo "$KUBECTLSECRET" > "$KUBECONFIG"
         fi
 
-        echo "📁 kubeconfig created at ~/.kube/config"
-        chmod 600 ~/.kube/config
+        echo "📁 kubeconfig created at $KUBECONFIG"
+        chmod 600 "$KUBECONFIG"
         
-        # Debug kubeconfig content (without sensitive data)
-        echo "🔍 Debugging kubeconfig structure..."
-        echo "File size: $(wc -c < ~/.kube/config) bytes"
-        
-        echo "First few lines of kubeconfig (structure check):"
-        head -20 ~/.kube/config | grep -E "(apiVersion|kind|clusters|contexts|users|current-context)" || echo "No standard kubeconfig structure found"
-        
-        echo "Checking for current-context:"
-        grep "current-context:" ~/.kube/config || echo "❌ No current-context found"
-        
-        echo "Checking for clusters:"
-        grep -A 2 "clusters:" ~/.kube/config || echo "❌ No clusters found"
-        
-        echo "Checking for users:"
-        grep -A 2 "users:" ~/.kube/config || echo "❌ No users found"
-        
-        # Fix TLS issues by adding insecure-skip-tls-verify to all clusters
-        echo "🔧 Fixing TLS verification for self-signed certificates..."
-        
-        # Get all cluster names and add insecure-skip-tls-verify
-        kubectl config get-clusters | tail -n +2 | while read cluster; do
-          if [ -n "$cluster" ]; then
-            echo "Setting insecure-skip-tls-verify for cluster: $cluster"
-            kubectl config set-cluster "$cluster" --insecure-skip-tls-verify=true
-          fi
-        done
-        
-        echo "✅ TLS configuration completed"
+        # Safe debug (do NOT print kubeconfig contents)
+        echo "🔍 kubeconfig sanity checks (safe):"
+        echo "- contains clusters: $(grep -c '^clusters:' "$KUBECONFIG" || echo 0)"
+        echo "- contains contexts: $(grep -c '^contexts:' "$KUBECONFIG" || echo 0)"
+        echo "- contains users: $(grep -c '^users:' "$KUBECONFIG" || echo 0)"
+        echo "- contains current-context: $(grep -c '^current-context:' "$KUBECONFIG" || echo 0)"
+        echo "- contains token: $(grep -c '^[[:space:]]*token:' "$KUBECONFIG" || echo 0)"
+        echo "- contains client-certificate-data: $(grep -c 'client-certificate-data:' "$KUBECONFIG" || echo 0)"
+        echo "- contains client-key-data: $(grep -c 'client-key-data:' "$KUBECONFIG" || echo 0)"
+        echo "- current-context line: $(grep '^current-context:' "$KUBECONFIG" || echo 'NOT FOUND')"
 
     - name: Debug kubeconfig before kubectl test
+      env:
+        KUBECONFIG: ${{ github.workspace }}/kubeconfig
       run: |
         echo "🔍 Final kubeconfig debug before kubectl test..."
-        echo "File exists: $(test -f ~/.kube/config && echo 'YES' || echo 'NO')"
-        echo "File size: $(wc -c < ~/.kube/config 2>/dev/null || echo '0') bytes"
+        echo "KUBECONFIG: $KUBECONFIG"
+        echo "File exists: $(test -f "$KUBECONFIG" && echo 'YES' || echo 'NO')"
+        echo "File size: $(wc -c < "$KUBECONFIG" 2>/dev/null || echo '0') bytes"
         
-        if [ -f ~/.kube/config ]; then
-          echo "First 15 lines of kubeconfig:"
-          head -15 ~/.kube/config
-          echo "---"
-          echo "Contains 'insecure-skip-tls-verify'?: $(grep -c 'insecure-skip-tls-verify' ~/.kube/config || echo '0')"
-          echo "Contains 'client-certificate-data'?: $(grep -c 'client-certificate-data' ~/.kube/config || echo '0')"
-          echo "Contains 'client-key-data'?: $(grep -c 'client-key-data' ~/.kube/config || echo '0')"
-          echo "Current context: $(grep 'current-context:' ~/.kube/config || echo 'NOT FOUND')"
+        if [ -f "$KUBECONFIG" ]; then
+          echo "Contains 'token': $(grep -c '^[[:space:]]*token:' "$KUBECONFIG" || echo '0')"
+          echo "Contains 'client-certificate-data': $(grep -c 'client-certificate-data:' "$KUBECONFIG" || echo '0')"
+          echo "Contains 'client-key-data': $(grep -c 'client-key-data:' "$KUBECONFIG" || echo '0')"
+          echo "Current context: $(grep '^current-context:' "$KUBECONFIG" || echo 'NOT FOUND')"
         else
           echo "❌ kubeconfig file does not exist!"
         fi
 
     - name: Test kubectl connection
+      env:
+        KUBECONFIG: ${{ github.workspace }}/kubeconfig
       run: |
         kubectl version --client
         echo "Testing cluster connection..."