diff --git a/.gitea/workflows/build-deb.yaml b/.gitea/workflows/build-deb.yaml
index b93b74f..2627460 100644
--- a/.gitea/workflows/build-deb.yaml
+++ b/.gitea/workflows/build-deb.yaml
@@ -7,54 +7,51 @@ jobs:
   build:
     runs-on: self-hosted
     steps:
-      - name: Checkout
+      - name: Build and publish
+        env:
+          KUBECONFIG_B64: ${{ secrets.KUBECONFIG }}
         run: |
-          rm -rf src
-          git clone ${{ gitea.server_url }}/${{ gitea.repository }}.git src
-          cd src && git checkout ${{ github.sha }}
+          set -euo pipefail
 
-      - name: Build .deb package
-        run: |
+          # Checkout
+          WORKDIR=$(mktemp -d)
+          cd "$WORKDIR"
+          git clone "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git" src
           cd src
+          git checkout "$GITHUB_SHA"
+
+          # Build .deb
           VERSION="${GITHUB_REF_NAME#v}"
           PKG_NAME="${GITHUB_REPOSITORY##*/}"
           echo "Building ${PKG_NAME} version ${VERSION}"
 
-          # Update version in control file
           sed -i "s/^Version:.*/Version: ${VERSION}/" debian/control
-
-          # dpkg-deb requires uppercase DEBIAN directory
           mv debian DEBIAN
 
-          dpkg-deb --build --root-owner-group . "../${PKG_NAME}_${VERSION}_amd64.deb"
-          echo "DEB_FILE=$(ls ../*.deb)" >> "$GITHUB_ENV"
+          DEB_NAME="${PKG_NAME}_${VERSION}_amd64.deb"
+          dpkg-deb --build --root-owner-group . "${WORKDIR}/${DEB_NAME}"
+          echo "Built ${DEB_NAME}"
 
-      - name: Setup kubeconfig
-        run: |
+          # Setup kubeconfig
           mkdir -p ~/.kube
-          echo "${{ secrets.KUBECONFIG }}" | base64 -d > ~/.kube/config
+          echo "$KUBECONFIG_B64" | base64 -d > ~/.kube/config
           chmod 600 ~/.kube/config
 
-      - name: Install kubectl
-        run: |
+          # Install kubectl if needed
           if ! command -v kubectl &>/dev/null; then
             curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
             sudo install kubectl /usr/local/bin/kubectl
           fi
 
-      - name: Publish to repo
-        run: |
+          # Publish to repo
           POD=$(kubectl get pod -n pkg-repo -l app=pkg-repo -o jsonpath='{.items[0].metadata.name}')
-
-          # Copy .deb into the reprepro sidecar
-          kubectl cp "$DEB_FILE" "pkg-repo/${POD}:/incoming/" -c reprepro
-
-          # Run reprepro to include the package
+          kubectl cp "${WORKDIR}/${DEB_NAME}" "pkg-repo/${POD}:/incoming/${DEB_NAME}" -c reprepro
           kubectl exec -n pkg-repo "${POD}" -c reprepro -- \
-            reprepro -b /repo/debian includedeb trixie "/incoming/$(basename $DEB_FILE)"
+            reprepro -b /repo/debian includedeb trixie "/incoming/${DEB_NAME}"
+          kubectl exec -n pkg-repo "${POD}" -c reprepro -- \
+            rm -f "/incoming/${DEB_NAME}"
 
           # Cleanup
-          kubectl exec -n pkg-repo "${POD}" -c reprepro -- \
-            rm -f "/incoming/$(basename $DEB_FILE)"
+          rm -rf "$WORKDIR" ~/.kube/config
 
-          echo "Published $(basename $DEB_FILE) to repo.n0ball.tw"
+          echo "Published ${DEB_NAME} to repo.n0ball.tw"