diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 74bb52b..1c3437b 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -74,13 +74,27 @@ jobs:
     steps:
       - name: Pull and start web
         uses: appleboy/ssh-action@v1.2.5
+        env:
+          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
         with:
           host: ${{ secrets.DEPLOY_HOST }}
           username: ${{ secrets.DEPLOY_USER }}
           port: ${{ secrets.DEPLOY_PORT }}
           key: ${{ secrets.DEPLOY_SSH_KEY }}
+          # Pass the registry creds into the remote shell's environment so the
+          # `docker login`, the clone-if-absent, and the git pull below can all
+          # reuse them WITHOUT ever interpolating the token into the script text
+          # (which would land it in the run log / process args).
+          envs: REGISTRY_USER,REGISTRY_TOKEN
           script: |
-            docker login git.unom.io -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }}
+            set -euo pipefail
+            printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin
+            # Self-install on a blank host: make sure git exists, then clone the
+            # repo if it isn't already checked out (mirrors played/workflows
+            # build-deploy-game.yml). The deploy user has NOPASSWD sudo.
+            command -v git >/dev/null 2>&1 || { sudo apt-get update -qq && sudo apt-get install -y git; }
+            [ -d "$HOME/unom-website/.git" ] || git clone "https://${REGISTRY_USER}:${REGISTRY_TOKEN}@git.unom.io/unom/website.git" "$HOME/unom-website"
             cd ~/unom-website
             git fetch origin main
             git reset --hard origin/main