diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml
index 9421276..f3614aa 100644
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@@ -58,44 +58,47 @@ jobs:
 
       - name: Sync Secrets and Vars
         run: |
-          # 1. Garante que o namespace existe
+          # 1. Garante o namespace
           kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o yaml | kubectl apply -f -
 
-          # 2. Sincroniza Registry Secret limpando metadados que causam erro de Conflict
+          # 2. Sincroniza Registry Secret com limpeza de metadados
           kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \
           grep -vE "resourceVersion|uid|creationTimestamp|namespace" | \
           kubectl apply --namespace=${{ env.NAMESPACE }} -f -
 
-          # 3. Prepara a chave RSA
+          # 3. Limpeza Radical da Chave RSA (O maior culpado do erro UTF-8)
           RSA_CONTENT="${{ secrets.RSA_PRIVATE_KEY_BASE64 || vars.RSA_PRIVATE_KEY_BASE64 }}"
           if [ -n "$RSA_CONTENT" ]; then
-            echo "$RSA_CONTENT" > /tmp/rsa_raw.txt
-            if base64 -d /tmp/rsa_raw.txt > /tmp/rsa_key.pem 2>/dev/null; then
-              echo "RSA Key decoded successfully."
-            else
-              cp /tmp/rsa_raw.txt /tmp/rsa_key.pem
-            fi
+            # Remove espaços, quebras de linha e garante decodificação limpa
+            echo "$RSA_CONTENT" | tr -d '\r\n ' > /tmp/rsa_clean_base64.txt
+            base64 -d /tmp/rsa_clean_base64.txt > /tmp/rsa_key.pem || cp /tmp/rsa_clean_base64.txt /tmp/rsa_key.pem
           fi
 
-          # 4. Cria ou atualiza a backend-secrets (sem deletar antes para evitar downtime)
+          # 4. Criação da Secret via ENV-FILE (Evita corrupção de caracteres no shell)
+          # Usamos um 'cat' com delimitador único para não processar variáveis locais
+          cat <<'EOF' > .env.backend
+MTU=${{ vars.MTU }}
+DATABASE_URL=${{ vars.DATABASE_URL }}
+AMQP_URL=${{ vars.AMQP_URL }}
+JWT_SECRET=${{ vars.JWT_SECRET }}
+JWT_EXPIRATION=${{ vars.JWT_EXPIRATION }}
+PASSWORD_PEPPER=${{ vars.PASSWORD_PEPPER }}
+COOKIE_SECRET=${{ vars.COOKIE_SECRET }}
+COOKIE_DOMAIN=${{ vars.COOKIE_DOMAIN }}
+BACKEND_PORT=${{ vars.BACKEND_PORT }}
+BACKEND_HOST=${{ vars.BACKEND_HOST }}
+ENV=${{ vars.ENV }}
+CORS_ORIGINS=${{ vars.CORS_ORIGINS }}
+S3_BUCKET=${{ vars.S3_BUCKET }}
+AWS_REGION=${{ vars.AWS_REGION }}
+AWS_ENDPOINT=${{ vars.AWS_ENDPOINT }}
+AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }}
+AWS_SECRET_ACCESS_KEY=${{ vars.AWS_SECRET_ACCESS_KEY }}
+EOF
+
+          # Aplica a secret lendo o arquivo de ambiente e o arquivo RSA
           kubectl create secret generic backend-secrets -n ${{ env.NAMESPACE }} \
-            --from-literal=MTU="${{ vars.MTU }}" \
-            --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
-            --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
-            --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
-            --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
-            --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
-            --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
-            --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
-            --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
-            --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
-            --from-literal=ENV="${{ vars.ENV }}" \
-            --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
-            --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
-            --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
-            --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
-            --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
-            --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
+            --from-env-file=.env.backend \
             $( [ -f /tmp/rsa_key.pem ] && echo "--from-file=private_key.pem=/tmp/rsa_key.pem" ) \
             --dry-run=client -o yaml | kubectl apply -f -
 
@@ -103,13 +106,10 @@ jobs:
         run: |
           kubectl apply -f k8s/dev/ -n ${{ env.NAMESPACE }}
           
-          # Atualiza as imagens nos deployments
           kubectl -n ${{ env.NAMESPACE }} set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
           kubectl -n ${{ env.NAMESPACE }} set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
           
-          # Restart para garantir que novos pods peguem a Secret atualizada
           kubectl -n ${{ env.NAMESPACE }} rollout restart deployment/gohorse-backend-dev
           kubectl -n ${{ env.NAMESPACE }} rollout restart deployment/gohorse-backoffice-dev
           
-          # Aguarda o backend ficar pronto
           kubectl -n ${{ env.NAMESPACE }} rollout status deployment/gohorse-backend-dev --timeout=120s
\ No newline at end of file