diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 1a60855d..b748be01 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -38,12 +38,29 @@ jobs:
       gotify_priority:  ${{ steps.determine.outputs.gotify_priority }}
       short_sha:        ${{ steps.determine.outputs.short_sha }}
       commit_msg:       ${{ steps.determine.outputs.commit_msg }}
+      gatekeeper_changed: ${{ steps.changes.outputs.gatekeeper_changed }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: 🔍 Check for Gatekeeper changes
+        id: changes
+        run: |
+          if git rev-parse HEAD~1 >/dev/null 2>&1; then
+            if git diff --quiet HEAD~1 HEAD -- gatekeeper; then
+              echo "gatekeeper_changed=false" >> $GITHUB_OUTPUT
+              echo "ℹ️ No changes in gatekeeper/"
+            else
+              echo "gatekeeper_changed=true" >> $GITHUB_OUTPUT
+              echo "⚠️ Changes detected in gatekeeper/"
+            fi
+          else
+            echo "gatekeeper_changed=true" >> $GITHUB_OUTPUT
+            echo "🆕 First commit or no history, building gatekeeper."
+          fi
+
       - name: 🔍 Environment & Version ermitteln
         id: determine
         shell: bash
@@ -166,8 +183,8 @@ jobs:
   # ──────────────────────────────────────────────────────────────────────────────
   # JOB 3: Build & Push Docker Image
   # ──────────────────────────────────────────────────────────────────────────────
-  build:
-    name: 🏗️ Build & Push
+  build-app:
+    name: 🏗️ Build App
     needs: prepare
     if: ${{ needs.prepare.outputs.target != 'skip' }}
     runs-on: docker
@@ -180,12 +197,11 @@ jobs:
       - name: 🐳 Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-
       - name: 🔐 Registry Login
         run: |
           echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin
 
-      - name: 🏗️ Docker Image bauen & pushen
+      - name: 🏗️ App bauen & pushen
         env:
           IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
           TARGET:    ${{ needs.prepare.outputs.target }}
@@ -194,7 +210,6 @@ jobs:
           NEXT_PUBLIC_UMAMI_SCRIPT_URL:  ${{ needs.prepare.outputs.target == 'production' && secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL  || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_NEXT_PUBLIC_UMAMI_SCRIPT_URL  || secrets.TESTING_NEXT_PUBLIC_UMAMI_SCRIPT_URL  || secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL) }}
           DIRECTUS_URL:                  ${{ needs.prepare.outputs.directus_url }}
         run: |
-          echo "🏗️ Building → $TARGET / $IMAGE_TAG"
           docker buildx build \
             --pull \
             --platform linux/arm64 \
@@ -207,15 +222,48 @@ jobs:
             --cache-to type=registry,ref=registry.infra.mintel.me/mintel/klz-cables.com:buildcache,mode=max \
             --push .
 
+  build-gatekeeper:
+    name: 🏗️ Build Gatekeeper
+    needs: prepare
+    if: ${{ needs.prepare.outputs.target != 'skip' }}
+    runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: 🐳 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: 🔐 Registry Login
+        run: |
+          echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+
       - name: 🏗️ Gatekeeper bauen & pushen
         env:
           IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
+          CHG: ${{ needs.prepare.outputs.gatekeeper_changed }}
         run: |
-          docker buildx build \
-            --pull \
-            --platform linux/arm64 \
-            -t registry.infra.mintel.me/mintel/klz-cables-gatekeeper:$IMAGE_TAG \
-            --push ./gatekeeper
+          if [ "$CHG" == "true" ]; then
+            echo "🏗️ Building Gatekeeper (Changes detected)..."
+            docker buildx build \
+              --pull \
+              --platform linux/arm64 \
+              -t registry.infra.mintel.me/mintel/klz-cables-gatekeeper:$IMAGE_TAG \
+              --cache-from type=registry,ref=registry.infra.mintel.me/mintel/klz-cables-gatekeeper:buildcache \
+              --cache-to type=registry,ref=registry.infra.mintel.me/mintel/klz-cables-gatekeeper:buildcache,mode=max \
+              --push ./gatekeeper
+          else
+            echo "⏩ Skipping build, just re-tagging existing image..."
+            # Fast-track: tag the latest (or buildcache) as the new version
+            # We use buildx with cache but without rebuild triggers - it's near instant
+            docker buildx build \
+              --platform linux/arm64 \
+              -t registry.infra.mintel.me/mintel/klz-cables-gatekeeper:$IMAGE_TAG \
+              --cache-from type=registry,ref=registry.infra.mintel.me/mintel/klz-cables-gatekeeper:buildcache \
+              --push ./gatekeeper
+          fi
 
 
   # ──────────────────────────────────────────────────────────────────────────────
@@ -223,7 +271,7 @@ jobs:
   # ──────────────────────────────────────────────────────────────────────────────
   deploy:
     name: 🚀 Deploy
-    needs: [prepare, build, qa]
+    needs: [prepare, build-app, build-gatekeeper, qa]
     if: ${{ needs.prepare.outputs.target != 'skip' }}
     runs-on: docker
     env: