diff --git a/.woodpecker.yml b/.woodpecker.yml
index dd740e1..25c0304 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -6,11 +6,12 @@ name: prod-promotion
 steps:
   - name: promote-tag-and-mirror
     image: google/cloud-sdk:latest
-    entrypoint: [bash, -c]
-    commands:
+    entrypoint:
+      - bash
+      - -lc
       - |
         set -euo pipefail
-        if [ "x$PROMOTE" != "xprod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
+        if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
 
         # Dev is the single source of truth for IMG_TAG
         IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
@@ -33,18 +34,18 @@ steps:
             "$SRC_REF" "$DST_REF"
         done
 
-        printf "%s" "$IMG_TAG" | gcloud secrets versions add IMG_TAG --data-file=- --project=aptivaai-prod >/dev/null
+        printf '%s' "$IMG_TAG" | gcloud secrets versions add IMG_TAG --data-file=- --project=aptivaai-prod >/dev/null
         echo "🏷  Promoted IMG_TAG=$IMG_TAG → aptivaai-prod"
 
-
   - name: verify-sync
     depends_on: [promote-tag-and-mirror]
     image: google/cloud-sdk:latest
-    entrypoint: [bash, -c]
-    commands:
+    entrypoint:
+      - bash
+      - -lc
       - |
         set -euo pipefail
-        if [ "x$PROMOTE" != "xprod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
+        if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
 
         IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
         PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
@@ -61,15 +62,15 @@ steps:
         done
         echo "✅ Prod AR has all images at :$IMG_TAG"
 
-
   - name: security-scan
     depends_on: [verify-sync]
     image: google/cloud-sdk:latest
-    entrypoint: [bash, -c]
-    commands:
+    entrypoint:
+      - bash
+      - -lc
       - |
         set -euo pipefail
-        if [ "x$PROMOTE" != "xprod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
+        if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
 
         IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
         REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
@@ -88,7 +89,6 @@ steps:
             --exit-code 1 --severity CRITICAL "$REF"
         done
 
-        
   - name: prod-deploy
     depends_on: [security-scan]
     image: google/cloud-sdk:latest