diff --git a/.gitea/workflows/kubernetes-deploy.yaml b/.gitea/workflows/kubernetes-deploy.yaml
index 69b8f66..bef3075 100644
--- a/.gitea/workflows/kubernetes-deploy.yaml
+++ b/.gitea/workflows/kubernetes-deploy.yaml
@@ -19,15 +19,23 @@ jobs:
       - name: Get Kanidm token from Vault
         id: vault
         run: |
+          set -euxo pipefail
+
           # Authenticate to Vault (AppRole — no CLI needed)
-          VAULT_TOKEN=$(curl -sf --request POST \
+          VAULT_AUTH_RESPONSE=$(curl -f --request POST \
             --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \
-            https://vault.hrajfrisbee.cz/v1/auth/approle/login | jq -r '.auth.client_token')
+            https://vault.hrajfrisbee.cz/v1/auth/approle/login)
+
+          echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2
+          VAULT_TOKEN=$(echo "$VAULT_AUTH_RESPONSE" | jq -r '.auth.client_token')
 
           # Read the kanidm API token
-          API_TOKEN=$(curl -sf \
+          SECRET_RESPONSE=$(curl -f \
             -H "X-Vault-Token: ${VAULT_TOKEN}" \
-            https://vault.hrajfrisbee.cz/v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token')
+            https://vault.hrajfrisbee.cz/v1/secret/data/k8s_home/gitea/gitea-ci-token)
+
+          echo "Secret response: $SECRET_RESPONSE" >&2
+          API_TOKEN=$(echo "$SECRET_RESPONSE" | jq -r '.data.data.token')
 
           echo "::add-mask::${API_TOKEN}"
           echo "api_token=${API_TOKEN}" >> "$GITHUB_OUTPUT"