diff --git a/.gitea/workflows/kubernetes-deploy.yaml b/.gitea/workflows/kubernetes-deploy.yaml
index bef3075..7488d6a 100644
--- a/.gitea/workflows/kubernetes-deploy.yaml
+++ b/.gitea/workflows/kubernetes-deploy.yaml
@@ -11,6 +11,35 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Get Vault token
+        run: |
+          IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://vault.hrajfrisbee.cz/")
+          
+          TOKEN=$(echo "$IDTOKEN" | jq -r '.value')
+          
+          VAULT_TOKEN=$(curl -sS --request POST \
+            --data "{\"jwt\": \"$TOKEN\", \"role\": \"gitea-actions\"}" \
+            https://vault.hrajfrisbee.cz/v1/auth/jwt/login | jq -r '.auth.client_token')
+          
+          echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
+
+      - name: Debug - print env and OIDC info
+        run: |
+          echo "=== Environment ==="
+          env | sort
+          echo ""
+          echo "=== ID Token (decoded) ==="
+          IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://vault.hrajfrisbee.cz/")
+          echo "$IDTOKEN" | jq -r '.value' | cut -d. -f2 | base64 -d 2>/dev/null | jq .
+
+      - name: Read secret from Vault
+        run: |
+          SECRET=$(curl -sS -H "X-Vault-Token: $VAULT_TOKEN" \
+            https://vault.hrajfrisbee.cz//v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token')
+          echo "SECRET=$SECRET" >> "$GITHUB_ENV"
+
       - name: Install kubectl
         run: |
           curl -sfLO "https://dl.k8s.io/release/$(curl -sfL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"