diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 11b4633..2a41dff 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -9,15 +9,20 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Verify required secrets
+        run: |
+          [ -n "${{ secrets.DEPLOY_SSH_KEY }}" ] || { echo "::error::DEPLOY_SSH_KEY secret 누락"; exit 1; }
+          [ -n "${{ secrets.DEPLOY_HOST }}"    ] || { echo "::error::DEPLOY_HOST secret 누락";    exit 1; }
+          [ -n "${{ secrets.DEPLOY_USER }}"    ] || { echo "::error::DEPLOY_USER secret 누락";    exit 1; }
+          [ -n "${{ secrets.DATABASE_URL }}"   ] || { echo "::error::DATABASE_URL secret 누락";   exit 1; }
+          echo "✔ secrets present"
 
       - name: Setup SSH
         run: |
           mkdir -p ~/.ssh
-          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_rsa
+          printf '%s\n' "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_rsa
           chmod 600 ~/.ssh/id_rsa
-          ssh-keyscan -H ${{ secrets.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+          ssh-keyscan -H "${{ secrets.DEPLOY_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null || true
 
       - name: Deploy via SSH
         env:
@@ -36,17 +41,34 @@ jobs:
           MOMO_BANK_ACCOUNT: ${{ secrets.MOMO_BANK_ACCOUNT }}
           MOMO_PHONE: ${{ secrets.MOMO_PHONE }}
         run: |
-          ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" bash -s << 'REMOTE'
+          # 환경변수를 원격 셸로 전달하기 위해 export 한 뒤 -E 로 보내거나, heredoc 안에서 GitHub-style 변수 보간 사용
+          ssh -o StrictHostKeyChecking=no -o ConnectTimeout=15 "$SSH_USER@$SSH_HOST" \
+            "DATABASE_URL='$DATABASE_URL' \
+             NEXTAUTH_URL='$NEXTAUTH_URL' \
+             NEXTAUTH_SECRET='$NEXTAUTH_SECRET' \
+             MASTER_PWD='$MASTER_PWD' \
+             AES_KEY='$AES_KEY' \
+             SMTP_HOST='$SMTP_HOST' \
+             SMTP_PORT='$SMTP_PORT' \
+             SMTP_USER='$SMTP_USER' \
+             SMTP_PASS='$SMTP_PASS' \
+             SMTP_FROM='$SMTP_FROM' \
+             MOMO_BANK_ACCOUNT='$MOMO_BANK_ACCOUNT' \
+             MOMO_PHONE='$MOMO_PHONE' \
+             bash -s" <<'REMOTE_SCRIPT'
           set -e
           DEPLOY_DIR="$HOME/momo-erp/source"
           mkdir -p "$HOME/momo-erp"
           if [ -d "$DEPLOY_DIR/.git" ]; then
-            cd "$DEPLOY_DIR" && git fetch origin && git reset --hard origin/main
+            cd "$DEPLOY_DIR"
+            git fetch origin
+            git reset --hard origin/main
           else
             git clone https://git.junggomoa.com/chpark/distribution_erp.git "$DEPLOY_DIR"
             cd "$DEPLOY_DIR"
           fi
-          cat > .env.production <<EOF
+
+          cat > .env.production <<ENVEOF
           DATABASE_URL="$DATABASE_URL"
           NEXTAUTH_URL="$NEXTAUTH_URL"
           NEXTAUTH_SECRET="$NEXTAUTH_SECRET"
@@ -63,9 +85,11 @@ jobs:
           SMTP_FROM="$SMTP_FROM"
           MOMO_BANK_ACCOUNT="$MOMO_BANK_ACCOUNT"
           MOMO_PHONE="$MOMO_PHONE"
-          EOF
+          ENVEOF
+
           docker compose -f docker-compose.prod.yml up -d --build
-          # DB 마이그레이션 (idempotent — 이미 있으면 IF NOT EXISTS 로 스킵)
-          docker compose -f docker-compose.prod.yml exec -T momo-erp npm run migrate:momo || true
+          # 마이그레이션 (실패해도 배포는 성공으로 간주)
+          docker compose -f docker-compose.prod.yml exec -T momo-erp npm run migrate:momo || \
+            echo "::warning::migration step failed or skipped"
           docker compose -f docker-compose.prod.yml ps
-          REMOTE
+          REMOTE_SCRIPT