diff --git a/.github/workflows/deploy-homelab.yml b/.github/workflows/deploy.yml
similarity index 61%
rename from .github/workflows/deploy-homelab.yml
rename to .github/workflows/deploy.yml
index ee1fd22..62e7eab 100644
--- a/.github/workflows/deploy-homelab.yml
+++ b/.github/workflows/deploy.yml
@@ -1,4 +1,4 @@
-name: "Deploy to Homelab"
+name: "Deploy to birb co. production"
 
 on:
   push:
@@ -14,6 +14,15 @@ jobs:
     - name: Check out repository
       uses: actions/checkout@v3
 
+    - name: Validate required secrets
+      run: |
+        set -euo pipefail
+        : "${SSH_PRIVATE_KEY:?SSH_PRIVATE_KEY secret must be set}"
+        : "${JWT_SECRET:?JWT_SECRET secret must be set}"
+      env:
+        SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+        JWT_SECRET: ${{ secrets.JWT_SECRET }}
+
     - name: Set up SSH key
       run: |
         mkdir -p ~/.ssh
@@ -34,15 +43,14 @@ jobs:
 
     - name: Deploy on server with Docker
       run: |
-        ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << 'EOF'
+        ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << EOF
           cd ~/${{ vars.DIRECTORY_NAME }}
+          export JWT_SECRET='${{ secrets.JWT_SECRET }}'
           export TRUST_PROXY=true
           export COOKIE_SECURE=true
-          export JWT_SECRET=${{ secrets.JWT_SECRET }}
-          export PORT=${{ vars.PORT }}
-          export BASE_URL=${{ vars.BASE_URL }}
-          export MAX_FILE_SIZE=${{ vars.MAX_FILE_SIZE }}
-          docker compose -f docker-compose.yml down
-          docker compose -f docker-compose.yml up -d --build
+          export PORT='${{ vars.PORT }}'
+          export BASE_URL='${{ vars.BASE_URL }}'
+          export MAX_FILE_SIZE='${{ vars.MAX_FILE_SIZE }}'
+          docker compose -f compose.yaml down
+          docker compose -f compose.yaml up -d --build
         EOF
-
diff --git a/README.md b/README.md
index 85bb986..c77d138 100644
--- a/README.md
+++ b/README.md
@@ -144,7 +144,7 @@ bantime  = 600
 Adjust `logpath` to wherever your `LOG_FILE` is. With Docker, the log file lives inside the `nanodrop-data` volume — mount it to a host path or bind-mount a host directory instead of the named volume to make it accessible to fail2ban:
 
 ```yaml
-# docker-compose.yml override
+# compose.yaml override
 volumes:
   - /var/lib/nanodrop:/app/data
 ```
diff --git a/docker-compose.yml b/compose.yaml
similarity index 100%
rename from docker-compose.yml
rename to compose.yaml