diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index 83cd876..beb9543 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -15,6 +15,11 @@ jobs:
       - name: Install ansible
         run: pip3 install ansible --quiet --break-system-packages
 
+      - name: Write vault password
+        run: |
+          echo "${{ secrets.VAULT_PASSWORD }}" > ~/.vault-password-file
+          chmod 600 ~/.vault-password-file
+
       - name: Syntax check
         run: ansible-playbook playbooks/deploy.yml --syntax-check -i inventory/
 
diff --git a/inventory/group_vars/all/main.yml b/inventory/group_vars/all/main.yml
index 380d52a..6895b4b 100644
--- a/inventory/group_vars/all/main.yml
+++ b/inventory/group_vars/all/main.yml
@@ -26,4 +26,4 @@ syncthing_basic_auth_htpasswd: "{{ vault_syncthing_basic_auth_htpasswd }}"
 forgejo_runner_token:         "{{ vault_forgejo_runner_token }}"
 
 # CI/CD deploy key (public key — not a secret)
-ci_deploy_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6kK8+/9cMo9sFUIQAupPfcD3A6UixmAzB0r8jAf0kz ci-deploy@forgejo-runner"
+ci_deploy_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdr9mRSSUqt7Ym4wA5RpVyz76wEXSOtVfh2/yCSMIbg ci-deploy@forgejo-runner"