diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index b8aad9f..9ceeba3 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -245,21 +245,19 @@ jobs:
         podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-backend-api-postgres:$IMAGE_TAG"
         podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-frontend:$IMAGE_TAG"
 
-    # 1) Render nginx.conf from repo and copy to host (no unshare)
+    # RENDER & COPY NGINX CONF (unchanged except for whitelisted envsubst)
     - name: Render nginx.conf and write to host
       run: |
         set -euo pipefail
-        apk add --no-cache gettext >/dev/null  # envsubst
-        # Only substitute the vars we intend to: ${PROD_*_PORT}
+        apk add --no-cache gettext >/dev/null
         envsubst '${PROD_FRONTEND_PORT} ${PROD_BACKEND_PORT}' < nginx/nginx.conf > /tmp/nginx.conf
-
         podman --remote run --rm -i \
           --userns=keep-id \
           -v /opt/sharenet/nginx:/host-nginx:rw \
           alpine:3.20 sh -c 'install -D -m 0644 /dev/stdin /host-nginx/nginx.conf' \
           < /tmp/nginx.conf
 
-    # 2) Lint nginx.conf BEFORE restarting the pod (avoids crash loops)
+    # LINT NGINX CONF BEFORE APPLYING
     - name: Validate nginx.conf with throwaway container
       run: |
         set -euo pipefail
@@ -268,16 +266,24 @@ jobs:
           docker.io/nginx:alpine \
           sh -lc 'nginx -t -c /etc/nginx/nginx.conf'
 
-    # 3) Recreate the pod (down → play). This ensures new images/ports/env + the validated conf.
-    - name: Recreate pod
+    # APPLY/RE-APPLY THE POD (no explicit "down"; use --replace)
+    - name: Apply pod (kube play --replace)
       run: |
         set -euo pipefail
-        podman --remote kube down sharenet-production-pod || true
-        envsubst < deploy/prod-pod.yml | podman --remote kube play -
+        # If your Podman supports --replace, this is the cleanest:
+        envsubst < deploy/prod-pod.yml | podman --remote kube play --replace -
 
-    # 4) Verify health on the prod host
+    # If --replace is NOT supported in your Podman, use this fallback instead:
+    # - name: Recreate pod (fallback)
+    #   run: |
+    #     set -euo pipefail
+    #     podman --remote pod rm -f sharenet-production-pod 2>/dev/null || true
+    #     envsubst < deploy/prod-pod.yml | podman --remote kube play -
+
+    # VERIFY (install curl first)
     - name: Verify in-pod Nginx
       run: |
         set -euo pipefail
+        apk add --no-cache curl >/dev/null
         curl -sS -D- http://127.0.0.1:18080/healthz
-
+        curl -sS -I http://127.0.0.1:18080/