diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 10f8f72..8548077 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -206,19 +206,16 @@ jobs:
 
           if [ -z "$VALID_TOKEN" ]; then
             echo "❌ All token/user combinations failed to authenticate!"
-            # For diagnostic exfiltration, try one openly:
             T=$(echo "$TOKENS" | awk '{print $1}')
             echo "Attempting open diagnostic login with first token and user mmintel..."
             echo "$T" | docker login git.infra.mintel.me -u "mmintel" --password-stdin || true
             exit 1
           fi
 
-          echo "::add-mask::$VALID_TOKEN"
-          echo "token=$VALID_TOKEN" >> $GITHUB_OUTPUT
-          echo "user=$VALID_USER" >> $GITHUB_OUTPUT
-
-          # Mask token in logs (just in case, but Gitea usually does this automatically)
+          TOKEN="$VALID_TOKEN"
           echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+          echo "user=$VALID_USER" >> $GITHUB_OUTPUT
 
           echo "Configuring .npmrc for git.infra.mintel.me..."
           echo "@mintel:registry=https://git.infra.mintel.me/api/packages/mmintel/npm/" > .npmrc