diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index bddab0b..9c50b85 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: self-hosted
     steps:
       - name: Setup tools
-        run: apk add --no-cache curl
+        run: apk add --no-cache curl python3
 
       - name: Checkout
         run: |
@@ -45,18 +45,40 @@ jobs:
 
       - name: Redeploy Stack via Portainer
         run: |
+          echo "Fetching current stack config from Portainer..."
+
+          # Aktuelles Compose-File aus Portainer lesen
+          STACK_FILE=$(curl -s -k \
+            "https://192.168.1.60:9444/api/stacks/115/file" \
+            -H "X-API-Key: ${{ secrets.PORTAINER_TOKEN }}" \
+            | python3 -c "import sys,json; print(json.load(sys.stdin).get('StackFileContent',''))")
+
+          # Aktuelle Env-Vars aus Portainer lesen (enthält die echten Werte)
+          ENV_VARS=$(curl -s -k \
+            "https://192.168.1.60:9444/api/stacks/115" \
+            -H "X-API-Key: ${{ secrets.PORTAINER_TOKEN }}" \
+            | python3 -c "import sys,json; print(json.dumps(json.load(sys.stdin).get('Env', [])))")
+
+          # Stack mit bestehender Konfiguration neu deployen (keine Credentials im Workflow)
+          PAYLOAD=$(python3 -c "
+          import json, sys
+          stack_file = '''$STACK_FILE'''
+          env_vars = $ENV_VARS
+          print(json.dumps({
+            'stackFileContent': stack_file,
+            'env': env_vars,
+            'prune': True,
+            'pullImage': False
+          }))
+          ")
+
           echo "Redeploying stack wm2026-tippspiel..."
           curl -s -k -X PUT \
             "https://192.168.1.60:9444/api/stacks/115?endpointId=2" \
             -H "X-API-Key: ${{ secrets.PORTAINER_TOKEN }}" \
             -H "Content-Type: application/json" \
-            -d '{
-              "stackFileContent": "services:\n  tippspiel:\n    image: wm2026-tippspiel:latest\n    container_name: wm2026-tippspiel\n    restart: unless-stopped\n    ports:\n      - \"3301:3001\"\n    environment:\n      - NODE_ENV=development\n      - PORT=3001\n      - DATABASE_URL=postgresql://postgres.ggqsfnlqezgxcfqkytrr:***REMOVED-DB-PW***@aws-0-eu-west-1.pooler.supabase.com:6543/postgres\n      - SUPABASE_URL=https://ggqsfnlqezgxcfqkytrr.supabase.co\n      - SUPABASE_SERVICE_ROLE_KEY=***REMOVED-SUPABASE-JWT***\n      - ANTHROPIC_API_KEY=***REMOVED-ANTHROPIC***\n      - FOOTBALL_API_KEY=***REMOVED-FOOTBALL***\n      - FOOTBALL_API_BASE_URL=https://api.football-data.org/v4\n      - ELEVENLABS_API_KEY=***REMOVED-ELEVENLABS***\n      - CORS_ORIGIN=*\n      - STAFFBASE_PUBLIC_KEY=dev-mode-no-key-needed\n      - STAFFBASE_PLUGIN_ID=\n    healthcheck:\n      test: [\"CMD\", \"wget\", \"-qO-\", \"http://localhost:3001/health\"]\n      interval: 30s\n      timeout: 5s\n      start_period: 10s\n      retries: 3\n    networks:\n      - main-network\n\nnetworks:\n  main-network:\n    external: true",
-              "env": [],
-              "prune": true,
-              "pullImage": false
-            }' \
-            | python3 -c "import sys,json; d=json.load(sys.stdin); print('Stack redeployed:', d.get('Name'), '| Status:', d.get('Status'))" 2>/dev/null \
+            -d "$PAYLOAD" \
+            | python3 -c "import sys,json; d=json.load(sys.stdin); print('Stack redeployed:', d.get('Name'), '| Status:', d.get('Status'))" \
             || echo "Stack redeploy triggered."
           echo "Deployment complete!"