diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 722e51a..e5823db 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -11,10 +11,19 @@ jobs:
     steps:
       - name: Deploy with SSH
         uses: appleboy/ssh-action@v1.0.0
+        env:
+          VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
         with:
           host: ${{ secrets.SSH_HOST }}
           username: ${{ secrets.SSH_USER }}
           key: ${{ secrets.SSH_PRIVATE_KEY }}
           port: 22
+          envs: VAULT_PASS
           script: |
-            cd ${{ secrets.DEPLOY_PATH }} && ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file <(echo '${{ secrets.ANSIBLE_VAULT_PASSWORD }}')
+            set -e
+            cd ${{ secrets.DEPLOY_PATH }}
+            VAULT_FILE="$(mktemp)"
+            trap 'rm -f "$VAULT_FILE"' EXIT
+            printf '%s' "$VAULT_PASS" > "$VAULT_FILE"
+            chmod 600 "$VAULT_FILE"
+            ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE"