diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
new file mode 100644
index 0000000..cfa9cce
--- /dev/null
+++ b/.gitea/workflows/deploy.yml
@@ -0,0 +1,36 @@
+name: Deploy
+
+# Fast-path publish: on push to main, SSH to the tutorials LXC and trigger the
+# host-side oneshot deploy.service. The SSH key is restricted by a forced
+# command in ~deploy/.ssh/authorized_keys, so even a leaked key can only
+# redeploy public content. The host's 5-min poll-fallback timer covers any
+# missed delivery, so this job is a latency optimization, not the only path.
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger tutorials redeploy over SSH
+        env:
+          DEPLOY_KEY: ${{ secrets.TUTORIALS_DEPLOY_KEY }}
+          DEPLOY_HOST: REDACTED
+          DEPLOY_USER: deploy
+        run: |
+          set -eu
+          # Ensure an SSH client is available on the runner image.
+          if ! command -v ssh >/dev/null 2>&1; then
+            (apt-get update && apt-get install -y openssh-client) >/dev/null
+          fi
+          install -d -m 700 ~/.ssh
+          printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          # Forced command runs regardless of the remote command; we send a
+          # harmless placeholder. accept-new pins the host key on first use.
+          ssh -o StrictHostKeyChecking=accept-new \
+              -o BatchMode=yes \
+              -i ~/.ssh/deploy_key \
+              "${DEPLOY_USER}@${DEPLOY_HOST}" deploy