diff --git a/.gitea/workflows/workflow.yaml b/.gitea/workflows/workflow.yaml
index 240040f..7df95e4 100644
--- a/.gitea/workflows/workflow.yaml
+++ b/.gitea/workflows/workflow.yaml
@@ -7,18 +7,24 @@ on:
 
 jobs:
   build:
+    name: Build & deploy
     runs-on: ubuntu-latest
 
     steps:
-      - uses: https://github.com/actions/checkout@v4
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
         with:
-          fetch-depth: 2
+          fetch-depth: 0 # whole history and tags, can refine this later
+          persist-credentials: false   # don’t leave the HTTPS token in origin
+          ssh-key: ${{ secrets.GIT_SSH_KEY }}
 
-      - uses: https://github.com/actions/setup-node@v4
+      - name: Setup node
+        uses: https://github.com/actions/setup-node@v4
         with:
           node-version: 22
 
-      - uses: https://github.com/pnpm/action-setup@v3
+      - name: Setup pnpm
+        uses: https://github.com/pnpm/action-setup@v3
         with:
           version: 9
           run_install: false
@@ -27,8 +33,53 @@ jobs:
       - name: Install
         run: pnpm install --frozen-lockfile
 
-      - name: Build only changed sites
+      - name: Build affected apps
         run: |
           pnpm turbo run build \
-            --filter="{./apps/*}...[HEAD^1]" \
+            --filter="{./apps/*}...[deployed...HEAD^1]" \
             --concurrency=1
+
+      - name: Gather output
+        run: |
+         mkdir -p deploy
+         
+         for public in apps/*/.output/public; do
+           if [ -d "$public" ]; then
+             # Derive the app name (e.g. "marketing" for apps/marketing)
+             app=$(basename "$(dirname "$(dirname "$public")")")
+             echo "→ Collecting $app"
+         
+             # Copy its public output into deploy/<app>/
+             mkdir -p "deploy/$app"
+             cp -r "$public/." "deploy/$app/"
+           fi
+         done
+         
+         echo "All sites collected under deploy/:"
+         ls -R deploy
+
+      - name: Start ssh agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: |
+            ${{ secrets.HOST_SSH_KEY }}
+            ${{ secrets.GIT_SSH_KEY }}
+
+      - name: Rsync to web server
+        env:
+          HOST: ${{ secrets.HOST_NAME }}
+          USER: ${{ secrets.HOST_USER }}
+        run: |
+          for pub in build/*; do
+            site=$(basename "$pub" .public)
+            echo "Deploying $site to $USER@$HOST:/www/$site"
+            ssh -o StrictHostKeyChecking=no "$USER@$HOST" "mkdir -p /www/$site"
+            rsync -az --delete "$pub/" "$USER@$HOST:/www/$site/"
+          done
+
+      - name: Update deployment tag
+        run: | # todo this could cause a race condition
+          git config user.name  "CI"
+          git config user.email "ci@dominikmilacher.com"
+          git tag -f last-deploy HEAD 
+          git push origin last-deploy --force
\ No newline at end of file