diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 5133d67..4d83365 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -130,28 +130,28 @@ jobs:
           sed -i "s|redis://zyc:Zyc188208@redis-shzlsczo52dft8mia.redis.ivolces.com:6379/0|${{ env.REDIS_URL }}|g" k8s/backend-deployment.yaml
           sed -i "s|redis://zyc:Zyc188208@redis-shzlsczo52dft8mia.redis.ivolces.com:6379/0|${{ env.REDIS_URL }}|g" k8s/celery-deployment.yaml
 
-          # Create/update image pull secret for CR
-          kubectl create secret docker-registry cr-pull-secret \
-            --docker-server="${{ env.CR_SERVER_ACTIVE }}" \
-            --docker-username="${{ env.CR_USERNAME_ACTIVE }}" \
-            --docker-password="${{ env.CR_PASSWORD_ACTIVE }}" \
-            --dry-run=client -o yaml | kubectl apply -f -
-
-          # Create/update secrets (业务密钥，DB 已写在 yaml 里)
-          kubectl create secret generic video-backend-secrets \
-            --from-literal=ARK_API_KEY='${{ secrets.ARK_API_KEY }}' \
-            --from-literal=TOS_ACCESS_KEY='${{ secrets.TOS_ACCESS_KEY }}' \
-            --from-literal=TOS_SECRET_KEY='${{ secrets.TOS_SECRET_KEY }}' \
-            --from-literal=DJANGO_SECRET_KEY='${{ secrets.DJANGO_SECRET_KEY }}' \
-            --from-literal=ALIYUN_SMS_ACCESS_KEY='${{ secrets.ALIYUN_SMS_ACCESS_KEY }}' \
-            --from-literal=ALIYUN_SMS_ACCESS_SECRET='${{ secrets.ALIYUN_SMS_ACCESS_SECRET }}' \
-            --dry-run=client -o yaml | kubectl apply -f -
-
-          # Apply manifests (with retry for transient network issues)
-          set -o pipefail
+          # All kubectl operations with retry (K3s 内网连接可能抖动)
           for attempt in 1 2 3; do
             echo "Deploy attempt $attempt/3..."
             {
+              # Create/update image pull secret for CR
+              kubectl create secret docker-registry cr-pull-secret \
+                --docker-server="${{ env.CR_SERVER_ACTIVE }}" \
+                --docker-username="${{ env.CR_USERNAME_ACTIVE }}" \
+                --docker-password="${{ env.CR_PASSWORD_ACTIVE }}" \
+                --dry-run=client -o yaml | kubectl apply -f -
+
+              # Create/update secrets (业务密钥，DB 已写在 yaml 里)
+              kubectl create secret generic video-backend-secrets \
+                --from-literal=ARK_API_KEY='${{ secrets.ARK_API_KEY }}' \
+                --from-literal=TOS_ACCESS_KEY='${{ secrets.TOS_ACCESS_KEY }}' \
+                --from-literal=TOS_SECRET_KEY='${{ secrets.TOS_SECRET_KEY }}' \
+                --from-literal=DJANGO_SECRET_KEY='${{ secrets.DJANGO_SECRET_KEY }}' \
+                --from-literal=ALIYUN_SMS_ACCESS_KEY='${{ secrets.ALIYUN_SMS_ACCESS_KEY }}' \
+                --from-literal=ALIYUN_SMS_ACCESS_SECRET='${{ secrets.ALIYUN_SMS_ACCESS_SECRET }}' \
+                --dry-run=client -o yaml | kubectl apply -f -
+
+              # Apply manifests
               kubectl apply -f k8s/backend-deployment.yaml
               kubectl apply -f k8s/celery-deployment.yaml
               kubectl apply -f k8s/web-deployment.yaml