diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml
index 9fb4ad5..faea836 100644
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@@ -18,7 +18,6 @@ jobs:
     steps:
       - name: Install Dependencies
         run: |
-          # Adicionado retry para evitar falhas de rede temporárias
           sed -i 's/dl-cdn.alpinelinux.org/mirror.leaseweb.com/g' /etc/apk/repositories
           apk add --no-cache git docker-cli nodejs
 
@@ -40,7 +39,6 @@ jobs:
 
       - name: Build and Push Backoffice
         run: |
-          # Removido --no-cache para usar o cache local do runner e acelerar o processo
           cd backoffice
           docker build -t ${{ env.REGISTRY }}/bohessefm/backoffice:latest -t ${{ env.REGISTRY }}/bohessefm/backoffice:${{ github.sha }} .
           docker push ${{ env.REGISTRY }}/bohessefm/backoffice:latest
@@ -49,12 +47,17 @@ jobs:
   deploy-to-k3s:
     needs: build-and-push
     runs-on: docker-ready
+    defaults:
+      run:
+        shell: sh # <--- CRUCIAL: Adicionado para evitar erro de 'bash not found'
     steps:
       - name: Install Tools
         run: |
+          sed -i 's/dl-cdn.alpinelinux.org/mirror.leaseweb.com/g' /etc/apk/repositories
           apk add --no-cache git curl
           if [ ! -f /usr/local/bin/kubectl ]; then
-            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+            KVER=$(curl -L -s https://dl.k8s.io/release/stable.txt)
+            curl -LO "https://dl.k8s.io/release/${KVER}/bin/linux/amd64/kubectl"
             chmod +x kubectl
             mv kubectl /usr/local/bin/
           fi
@@ -67,21 +70,26 @@ jobs:
           mkdir -p $HOME/.kube
           echo "${{ secrets.KUBECONFIG }}" > $HOME/.kube/config
           chmod 600 $HOME/.kube/config
+          export KUBECONFIG=$HOME/.kube/config
           
-          # Criar namespace e secrets (Garantindo que o token do registry esteja atualizado)
+          # 1. Namespace
           kubectl create namespace gohorsejobsdev --dry-run=client -o yaml | kubectl apply -f -
           
-          # Criar secret de imagem
-          kubectl -n gohorsejobsdev create secret docker-registry forgejo-registry \
+          # 2. Secret de Pull (Nomeado como registry-auth conforme sua preferência)
+          kubectl -n gohorsejobsdev create secret docker-registry registry-auth \
             --docker-server=${{ env.REGISTRY }} \
             --docker-username=bohessefm \
             --docker-password='${{ secrets.FORGEJO_TOKEN }}' \
             --dry-run=client -o yaml | kubectl apply -f -
 
-          # Aplicar manifestos e atualizar imagens para a tag do commit (SHA)
-          # Isso força o K8s a atualizar sem precisar de 'rollout restart'
+          # 3. Secrets da Aplicação (Idempotente)
+          kubectl -n gohorsejobsdev create secret generic backend-secrets \
+            --from-literal=DATABASE_URL='${{ vars.DATABASE_URL }}' \
+            --dry-run=client -o yaml | kubectl apply -f -
+
+          # 4. Aplicar Manifestos
           kubectl apply -f k8s/dev/ -n gohorsejobsdev
           
-          # Atualização direta para garantir a versão exata do build atual
+          # 5. Atualização Direta de Imagem
           kubectl -n gohorsejobsdev set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/bohessefm/gohorsejobs:${{ github.sha }}
           kubectl -n gohorsejobsdev set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/bohessefm/backoffice:${{ github.sha }}
\ No newline at end of file