diff --git a/deploy/README.md b/deploy/README.md
index 024808d..c5397c7 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -5,6 +5,7 @@ This repo includes `.gitea/workflows/ci-deploy.yml` for:
 - backend build
 - backend tests
 - frontend tests
+- frontend production build
 - deployment to Ubuntu after successful tests on `main`
 
 ### Required secrets in Gitea
@@ -16,13 +17,24 @@ This repo includes `.gitea/workflows/ci-deploy.yml` for:
 Recommended app path:
 - `/opt/job-tracker/app`
 
+Persistent runtime secrets path:
+- `/opt/job-tracker/shared/.env`
+
 Requirements:
 - Docker Engine
 - Docker Compose plugin
 - reverse proxy in front (Nginx, Caddy, or Traefik)
-- `.env` file present on server in `/opt/job-tracker/app/.env`
+- shared env file present on server in `/opt/job-tracker/shared/.env`
 - network connectivity from the backend container to your `mariadb` container/service
 
+The deploy script will automatically create a symlink from:
+- `/opt/job-tracker/shared/.env`
+
+to:
+- `/opt/job-tracker/app/.env`
+
+This keeps secrets outside the uploaded repo checkout so they are not wiped by CI deploys.
+
 ### Example production `.env`
 ```env
 DATABASE_PROVIDER=mariadb
@@ -62,7 +74,7 @@ If this app is going to be a real production service on Ubuntu:
 1. push to `main`
 2. Gitea Actions runs tests
 3. if green, workflow uploads repo to server
-4. `deploy/deploy.sh` runs `docker compose build && docker compose up -d`
+4. `deploy/deploy.sh` links `/opt/job-tracker/shared/.env` into the repo checkout, then runs `docker compose build && docker compose up -d`
 5. workflow checks service status after deployment
 
 ## Post-deploy verification you should also do manually the first time
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
index d99eaf2..0811db5 100644
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -3,8 +3,19 @@ set -euo pipefail
 
 cd "$(dirname "$0")/.."
 
-if [ ! -f .env ]; then
-  echo "Missing .env in deployment directory"
+ENV_SOURCE="/opt/job-tracker/shared/.env"
+ENV_TARGET=".env"
+
+if [ ! -f "$ENV_SOURCE" ]; then
+  echo "Missing shared env file at $ENV_SOURCE"
+  exit 1
+fi
+
+# Keep runtime secrets outside the repo checkout so workflow uploads cannot wipe them.
+ln -sf "$ENV_SOURCE" "$ENV_TARGET"
+
+if [ ! -f "$ENV_TARGET" ]; then
+  echo "Failed to link deployment env file into $(pwd)/$ENV_TARGET"
   exit 1
 fi