diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 8c61d76..884c085 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -130,21 +130,26 @@ jobs:
             --from-literal=ALIYUN_SMS_ACCESS_SECRET='${{ secrets.ALIYUN_SMS_ACCESS_SECRET }}' \
             --dry-run=client -o yaml | kubectl apply -f -
 
-          # Apply manifests
+          # Apply manifests (with retry for transient network issues)
           set -o pipefail
-          {
-            kubectl apply -f k8s/backend-deployment.yaml
-            kubectl apply -f k8s/celery-deployment.yaml
-            kubectl apply -f k8s/web-deployment.yaml
-            kubectl apply -f k8s/ingress.yaml
+          for attempt in 1 2 3; do
+            echo "Deploy attempt $attempt/3..."
+            {
+              kubectl apply -f k8s/backend-deployment.yaml
+              kubectl apply -f k8s/celery-deployment.yaml
+              kubectl apply -f k8s/web-deployment.yaml
+              kubectl apply -f k8s/ingress.yaml
 
-            # Preserve real client IP
-            kubectl patch svc traefik -n kube-system -p '{"spec":{"externalTrafficPolicy":"Local"}}' 2>/dev/null || true
+              # Preserve real client IP
+              kubectl patch svc traefik -n kube-system -p '{"spec":{"externalTrafficPolicy":"Local"}}' 2>/dev/null || true
 
-            kubectl rollout restart deployment/video-backend
-            kubectl rollout restart deployment/celery-worker
-            kubectl rollout restart deployment/video-web
-          } 2>&1 | tee /tmp/deploy.log
+              kubectl rollout restart deployment/video-backend
+              kubectl rollout restart deployment/celery-worker
+              kubectl rollout restart deployment/video-web
+            } 2>&1 | tee /tmp/deploy.log && break
+            echo "Attempt $attempt failed, retrying in 10s..."
+            sleep 10
+          done
 
       # ===== Log Center: failure reporting =====
       - name: Report failure to Log Center