diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..9752cbe
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,50 @@
+kind: pipeline
+type: exec
+name: deploy
+clone:
+  disable: true
+
+trigger:
+  branch:
+    - deploy
+  event:
+    - push
+
+steps:
+  - name: deploy
+    environment:
+      DEPLOY_BRANCH: deploy
+      REPO_DIR: /root/projects/nuxt4-demo/nuxt4-demo-origin
+      GIT_REMOTE: git@gitee.com:xieyaxin/nuxt4-demo.git
+      UNZIP_DIR: /root/projects/nuxt4-demo/nuxt4-demo
+      DEPLOY_SSH_KEY:
+        from_secret: DEPLOY_SSH_KEY
+    commands:
+      - mkdir -p -m 700 "/root/.ssh"
+      - umask 077 && printf '%s\n' "$DEPLOY_SSH_KEY" > "/root/.ssh/id_rsa"
+      - 'ssh-keyscan -H -T 15 gitee.com > "/root/.ssh/known_hosts" && chmod 644 "/root/.ssh/known_hosts"'
+      - 'export SSH_OPTS="-i /root/.ssh/id_rsa -o IdentitiesOnly=yes -o UserKnownHostsFile=/root/.ssh/known_hosts -o StrictHostKeyChecking=yes -o BatchMode=yes -o ConnectTimeout=10 -o ServerAliveInterval=15 -o ServerAliveCountMax=3"'
+      # Gitee 等在认证成功时仍可能返回非 0，故忽略退出码
+      - 'ssh $SSH_OPTS -T git@gitee.com || true'
+      - 'export GIT_SSH_COMMAND="ssh $SSH_OPTS"'
+      - |
+        set -e
+        BRANCH="$DEPLOY_BRANCH"
+        REPO_DIR="$REPO_DIR"
+        GIT_REMOTE="$GIT_REMOTE"
+        if [ -d "$REPO_DIR/.git" ]; then
+          git -C "$REPO_DIR" fetch --depth 1 origin "$BRANCH"
+          git -C "$REPO_DIR" checkout -B "$BRANCH" "origin/$BRANCH"
+          git -C "$REPO_DIR" reset --hard "origin/$BRANCH"
+          git -C "$REPO_DIR" clean -fdx
+        else
+          rm -rf "$REPO_DIR"
+          mkdir -p "$(dirname "$REPO_DIR")"
+          git clone --depth 1 -b "$BRANCH" "$GIT_REMOTE" "$REPO_DIR"
+        fi
+      - |
+        set -e
+        [ -f "$REPO_DIR/build-output.tar.gz" ] || { echo "build-output.tar.gz not found in $REPO_DIR"; exit 1; }
+        rm -rf "$UNZIP_DIR"
+        mkdir -p "$UNZIP_DIR"
+        tar -xzf "$REPO_DIR/build-output.tar.gz" -C "$UNZIP_DIR"
\ No newline at end of file
diff --git a/build-files/.drone.prod.yml b/build-files/.drone.prod.yml
index 2253baa..130e2b0 100644
--- a/build-files/.drone.prod.yml
+++ b/build-files/.drone.prod.yml
@@ -4,6 +4,7 @@ name: deploy
 clone:
   disable: true
 
+# 触发分支须包含下方 DEPLOY_BRANCH（或在 Drone 仓库变量里覆盖 DEPLOY_BRANCH）
 trigger:
   branch:
     - deploy
@@ -13,6 +14,7 @@ trigger:
 steps:
   - name: deploy
     environment:
+      DEPLOY_BRANCH: deploy
       DEPLOY_SSH_KEY:
         from_secret: DEPLOY_SSH_KEY
       DATABASE_URL:
@@ -37,7 +39,22 @@ steps:
       - chmod 644 "$HOME/.ssh/known_hosts"
       - 'export SSH_OPTS="-i $HOME/.ssh/id_rsa -o IdentitiesOnly=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=accept-new -o BatchMode=yes -o ConnectTimeout=10 -o ServerAliveInterval=15 -o ServerAliveCountMax=3"'
       - 'ssh $SSH_OPTS -T gitee.com || true'
-      - 'REPO_DIR="$HOME/projects/nuxt4-demo/nuxt4-demo"; PROD_DIR="$HOME/projects/nuxt4-demo/production-dist"; if [ -d "$REPO_DIR/.git" ]; then GIT_SSH_COMMAND="ssh $SSH_OPTS" git -C "$REPO_DIR" fetch origin deploy && git -C "$REPO_DIR" checkout -B deploy origin/deploy && git -C "$REPO_DIR" reset --hard origin/deploy && git -C "$REPO_DIR" clean -fdx; else rm -rf "$REPO_DIR" && mkdir -p "$(dirname "$REPO_DIR")" && GIT_SSH_COMMAND="ssh $SSH_OPTS" git clone --depth 1 -b deploy "ssh://git@gitee.com:xieyaxin/nuxt4-demo.git" "$REPO_DIR"; fi'
+      - 'export GIT_SSH_COMMAND="ssh $SSH_OPTS"'
+      - 'export REPO_DIR="$HOME/projects/nuxt4-demo/nuxt4-demo" PROD_DIR="$HOME/projects/nuxt4-demo/production-dist"'
+      - |
+        set -e
+        BRANCH="$DEPLOY_BRANCH"
+        GIT_REMOTE="git@gitee.com:xieyaxin/nuxt4-demo.git"
+        if [ -d "$REPO_DIR/.git" ]; then
+          git -C "$REPO_DIR" fetch --depth 1 origin "$BRANCH"
+          git -C "$REPO_DIR" checkout -B "$BRANCH" "origin/$BRANCH"
+          git -C "$REPO_DIR" reset --hard "origin/$BRANCH"
+          git -C "$REPO_DIR" clean -fdx
+        else
+          rm -rf "$REPO_DIR"
+          mkdir -p "$(dirname "$REPO_DIR")"
+          git clone --depth 1 -b "$BRANCH" "$GIT_REMOTE" "$REPO_DIR"
+        fi
       - '[ -f "$REPO_DIR/build-output.tar.gz" ] || { echo "build-output.tar.gz not found in $REPO_DIR"; exit 1; }'
       - 'rm -rf "$PROD_DIR" && mkdir -p "$PROD_DIR"'
       - 'tar -xzf "$REPO_DIR/build-output.tar.gz" -C "$PROD_DIR"'
diff --git a/build-files/.drone.yml b/build-files/.drone.yml
index 327fbb6..9655802 100644
--- a/build-files/.drone.yml
+++ b/build-files/.drone.yml
@@ -4,6 +4,7 @@ name: deploy
 clone:
   disable: true
 
+# 触发分支须包含下方 DEPLOY_BRANCH（或在 Drone 仓库变量里覆盖 DEPLOY_BRANCH）
 trigger:
   branch:
     - deploy
@@ -13,16 +14,39 @@ trigger:
 steps:
   - name: deploy
     environment:
+      DEPLOY_BRANCH: deploy
+      REPO_DIR: /root/projects/nuxt4-demo/nuxt4-demo-origin
+      GIT_REMOTE: git@gitee.com:xieyaxin/nuxt4-demo.git
+      UNZIP_DIR: /root/projects/nuxt4-demo/nuxt4-demo
       DEPLOY_SSH_KEY:
         from_secret: DEPLOY_SSH_KEY
     commands:
       - export HOME=/root
-      - mkdir -p "$HOME/.ssh"
-      - chmod 700 "$HOME/.ssh"
-      - 'printf "%s\n" "$DEPLOY_SSH_KEY" > "$HOME/.ssh/id_rsa"'
-      - chmod 600 "$HOME/.ssh/id_rsa"
-      - 'ssh-keyscan -H gitee.com > "$HOME/.ssh/known_hosts"'
-      - chmod 644 "$HOME/.ssh/known_hosts"
-      - 'export SSH_OPTS="-i $HOME/.ssh/id_rsa -o IdentitiesOnly=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=accept-new -o BatchMode=yes -o ConnectTimeout=10 -o ServerAliveInterval=15 -o ServerAliveCountMax=3"'
-      - 'ssh $SSH_OPTS -T gitee.com || true'
-      - 'echo HELLO WORLD'
\ No newline at end of file
+      - mkdir -p -m 700 "$HOME/.ssh"
+      - umask 077 && printf '%s\n' "$DEPLOY_SSH_KEY" > "$HOME/.ssh/id_rsa"
+      - 'ssh-keyscan -H -T 15 gitee.com > "$HOME/.ssh/known_hosts" && chmod 644 "$HOME/.ssh/known_hosts"'
+      - 'export SSH_OPTS="-i $HOME/.ssh/id_rsa -o IdentitiesOnly=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=yes -o BatchMode=yes -o ConnectTimeout=10 -o ServerAliveInterval=15 -o ServerAliveCountMax=3"'
+      # Gitee 等在认证成功时仍可能返回非 0，故忽略退出码
+      - 'ssh $SSH_OPTS -T git@gitee.com || true'
+      - 'export GIT_SSH_COMMAND="ssh $SSH_OPTS"'
+      - |
+        set -e
+        BRANCH="$DEPLOY_BRANCH"
+        REPO_DIR="$REPO_DIR"
+        GIT_REMOTE="$GIT_REMOTE"
+        if [ -d "$REPO_DIR/.git" ]; then
+          git -C "$REPO_DIR" fetch --depth 1 origin "$BRANCH"
+          git -C "$REPO_DIR" checkout -B "$BRANCH" "origin/$BRANCH"
+          git -C "$REPO_DIR" reset --hard "origin/$BRANCH"
+          git -C "$REPO_DIR" clean -fdx
+        else
+          rm -rf "$REPO_DIR"
+          mkdir -p "$(dirname "$REPO_DIR")"
+          git clone --depth 1 -b "$BRANCH" "$GIT_REMOTE" "$REPO_DIR"
+        fi
+      - |
+        set -e
+        [ -f "$REPO_DIR/build-output.tar.gz" ] || { echo "build-output.tar.gz not found in $REPO_DIR"; exit 1; }
+        rm -rf "$UNZIP_DIR"
+        mkdir -p "$UNZIP_DIR"
+        tar -xzf "$REPO_DIR/build-output.tar.gz" -C "$UNZIP_DIR"
\ No newline at end of file
diff --git a/package.json b/package.json
index f44085e..6a7b5a9 100644
--- a/package.json
+++ b/package.json
@@ -9,7 +9,7 @@
   "scripts": {
     "build": "bun run sync:vditor && nuxt build && bun run cp:db && bun --elide-lines=0 --filter drizzle-pkg build",
     "dev": "bun run sync:vditor && nuxt dev",
-    "deploy": "sh scripts/deploy-gitee.sh",
+    "deploy": "sh scripts/deploy-gitea.sh",
     "sync:vditor": "sh scripts/sync-vditor-assets.sh",
     "cp:db": "cp build-files/run.sh .output/run.sh && cp build-files/.drone.yml .output/.drone.yml && sh scripts/mv-env.sh && cp -r build-files/migrate/* .output/server/ && cp build-files/seed.js .output/server/seed.js",
     "migrate:test": "sh scripts/migrate-test.sh",