diff --git a/.woodpecker.yml b/.woodpecker.yml
index 01bc6cc..84ba478 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -1,10 +1,10 @@
 ---
 kind: pipeline
 type: docker
-name: build-and-deploy
+name: ssh-test
 
 steps:
-  ssh-deploy:
+  - name: ssh-test
     image: google/cloud-sdk:latest
     entrypoint:
       - bash
@@ -14,34 +14,36 @@ steps:
 
         mkdir -p ~/.ssh;
 
-        gcloud secrets versions access latest --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev | base64 -d > ~/.ssh/known_hosts;
+        # ── Inject known-hosts and SSH key ───────────────────────────────
+        gcloud secrets versions access latest \
+          --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
+          | base64 -d > ~/.ssh/known_hosts;
         chmod 644 ~/.ssh/known_hosts;
 
-        gcloud secrets versions access latest --secret=STAGING_SSH_KEY --project=aptivaai-dev | base64 -d > ~/.ssh/id_ed25519;
+        gcloud secrets versions access latest \
+          --secret=STAGING_SSH_KEY --project=aptivaai-dev \
+          | base64 -d > ~/.ssh/id_ed25519;
         chmod 600 ~/.ssh/id_ed25519;
+
         echo "🔑 SSH prerequisites installed";
 
-        echo "📦 CI_COMMIT_SHA: ${CI_COMMIT_SHA:-unset}";
-        TAG="${CI_COMMIT_SHA:-}";
-        if [ -z "$TAG" ]; then echo "❌ CI_COMMIT_SHA is blank. Aborting."; exit 1; fi;
-        TAG=$(echo "$TAG" | head -c 8);
-        echo "🚀 Deploying tag ${TAG} to staging";
-
-        ssh -o StrictHostKeyChecking=yes -i ~/.ssh/id_ed25519 jcoakley@10.128.0.12 \
-        "export IMG_TAG=${TAG}; \
-         cd /home/jcoakley/aptiva-staging-app; \
-         echo 'IMG_TAG = ${IMG_TAG}'; \
-         echo '→ Pulling containers'; \
-         docker compose pull; \
-         echo '→ Recreating services'; \
-         docker compose up -d --force-recreate --remove-orphans; \
-         echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"
+        # ── SSH into staging and deploy ──────────────────────────────────
+        ssh -o StrictHostKeyChecking=yes \
+            -i ~/.ssh/id_ed25519 \
+            jcoakley@10.128.0.12 \
+            'set -euo pipefail; \
+             IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev); \
+             export IMG_TAG; \
+             echo "📦 IMG_TAG=$IMG_TAG"; \
+             cd /home/jcoakley/aptiva-staging-app; \
+             echo "IMG_TAG = $IMG_TAG"; \
+             sudo --preserve-env=IMG_TAG docker compose pull; \
+             sudo --preserve-env=IMG_TAG docker compose up -d --force-recreate --remove-orphans; \
+             echo "✅ Staging stack refreshed with tag $IMG_TAG"'
     secrets:
       - STAGING_SSH_KEY
       - STAGING_KNOWN_HOSTS
-
-environment:
-  CI_COMMIT_SHA: ${CI_COMMIT_SHA}
+      - IMG_TAG
 
 when:
   event: