diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index bbc93114..5b146529 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -118,8 +118,12 @@ jobs:
                 "https://git.infra.mintel.me/mmintel/at-mintel/raw/branch/main/packages/infra/scripts/wait-for-upstream.sh" > wait-for-upstream.sh
               chmod +x wait-for-upstream.sh
               
-              # Patch script to allow unauthenticated tag lookup if token is restricted
-              sed -i 's#TARGET_SHA=$(echo "$TAG_INFO" | jq -r ".commit.sha // empty")#TARGET_SHA=$(echo "$TAG_INFO" | jq -r ".commit.sha // empty"); [[ -z "$TARGET_SHA" || "$TARGET_SHA" == "null" ]] \&\& TARGET_SHA=$(curl -s "https://git.infra.mintel.me/api/v1/repos/$REPO/tags/$TAG" | jq -r ".commit.sha // empty")#' wait-for-upstream.sh
+              # Robust SHA discovery (bypasses restricted Gitea API)
+              UPSTREAM_SHA=$(git ls-remote --tags https://git.infra.mintel.me/mmintel/at-mintel.git "$TAG_TO_WAIT" | grep "$TAG_TO_WAIT" | tail -n1 | awk '{print $1}')
+              if [[ -n "$UPSTREAM_SHA" ]]; then
+                echo "✅ Found upstream SHA $UPSTREAM_SHA for $TAG_TO_WAIT (via git ls-remote)"
+                sed -i "s#TARGET_SHA=.*#TARGET_SHA=$UPSTREAM_SHA#g" wait-for-upstream.sh
+              fi
               
               GITEA_TOKEN=${{ secrets.GITHUB_TOKEN }} ./wait-for-upstream.sh "mmintel/at-mintel" "$TAG_TO_WAIT"
             fi