diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 2c20102..4bce5a0 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -39,38 +39,53 @@ jobs:
           
           # 获取密码
           PASSWORD="$1"
+          TARGET_DIR="$2"
+          RUN_USER="$3"
           
-          # 记录旧版本号
-          OLD_HEAD=$(git rev-parse HEAD 2>/dev/null || echo "")
-          
-          # 尝试直接 git pull
-          echo "Pulling latest code..."
-          if ! git pull; then
-              echo "Git pull permission denied, trying with sudo..."
-              echo "$PASSWORD" | sudo -S git pull || { echo "Git pull failed"; exit 1; }
+          # 1. 确保目录存在 (脚本已通过 sudo 运行)
+          if [ ! -d "$TARGET_DIR" ]; then
+              mkdir -p "$TARGET_DIR"
           fi
           
-          NEW_HEAD=$(git rev-parse HEAD)
+          # 2. 修正权限，确保用户拥有目录
+          chown -R "$RUN_USER:$RUN_USER" "$TARGET_DIR"
+          
+          # 3. 进入目录
+          cd "$TARGET_DIR"
+          
+          # 4. 执行 Git 操作 (以用户身份执行，避免 .git 权限问题)
+          # 使用 sudo -u 切换到普通用户执行 git
+          echo "Pulling latest code as $RUN_USER..."
+          OLD_HEAD=$(sudo -u "$RUN_USER" git rev-parse HEAD 2>/dev/null || echo "")
+          
+          if ! sudo -u "$RUN_USER" git pull; then
+              echo "Git pull failed"
+              exit 1
+          fi
+          
+          NEW_HEAD=$(sudo -u "$RUN_USER" git rev-parse HEAD)
           
           if [ "$OLD_HEAD" == "$NEW_HEAD" ]; then
             echo "No changes detected, skipping deploy"
+            # exit 0  # 即使代码没变，如果用户想强制重启也可以注释掉这行
             exit 0
           fi
           
+          # 5. 执行 Docker 操作 (以 root 身份执行)
           # 检查构建文件变动
-          if git diff --name-only $OLD_HEAD $NEW_HEAD | grep -E 'Dockerfile|requirements.txt'; then
+          if sudo -u "$RUN_USER" git diff --name-only $OLD_HEAD $NEW_HEAD | grep -E 'Dockerfile|requirements.txt'; then
             echo "Build files changed, rebuilding..."
-            echo "$PASSWORD" | sudo -S docker compose down --rmi local
-            echo "$PASSWORD" | sudo -S docker rmi epaper_server:latest || true
-            echo "$PASSWORD" | sudo -S docker compose up -d --build
+            docker compose down --rmi local
+            docker rmi epaper_server:latest || true
+            docker compose up -d --build
           else
             echo "Only code changed, restarting container..."
-            echo "$PASSWORD" | sudo -S docker compose down
-            echo "$PASSWORD" | sudo -S docker compose up -d
+            docker compose down
+            docker compose up -d
           fi
           EOS
           
-          # 创建 expect 脚本，只负责上传脚本和执行脚本
+          # 创建 expect 脚本，负责上传到 /tmp 并 sudo 执行
           cat > deploy_script.exp <<EOF
           #!/usr/bin/expect -f
           
@@ -80,23 +95,17 @@ jobs:
           set password "$PASS"
           set target_dir "$TARGET_DIR"
           
-          # 1. SSH 连接并创建目录
-          spawn ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \$user@\$host "mkdir -p \$target_dir"
+          # 1. 上传脚本到 /tmp (避免目标目录权限问题)
+          spawn scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null remote_script.sh \$user@\$host:/tmp/luna_deploy.sh
           expect {
               "yes/no" { send "yes\r"; exp_continue }
               "password:" { send "\$password\r" }
           }
           expect eof
           
-          # 2. 上传脚本
-          spawn scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null remote_script.sh \$user@\$host:\$target_dir/deploy.sh
-          expect {
-              "password:" { send "\$password\r" }
-          }
-          expect eof
-          
-          # 3. 执行脚本
-          spawn ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t \$user@\$host "cd \$target_dir && chmod +x deploy.sh && bash deploy.sh '\$password'"
+          # 2. SSH 登录并执行 sudo bash /tmp/luna_deploy.sh
+          # 我们把密码传给脚本，让脚本内部决定怎么用，或者直接用 sudo 执行脚本
+          spawn ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t \$user@\$host "echo '\$password' | sudo -S bash /tmp/luna_deploy.sh '\$password' '\$target_dir' '\$user'"
           expect {
               "password:" { send "\$password\r" }
           }