diff --git a/.forgejo/workflows/signal-rebuild.yml b/.forgejo/workflows/signal-rebuild.yml
index dbba01f..09df0b9 100644
--- a/.forgejo/workflows/signal-rebuild.yml
+++ b/.forgejo/workflows/signal-rebuild.yml
@@ -18,19 +18,27 @@ jobs:
           PUBLIC_URL_BASE: ${{ vars.PUBLIC_URL_BASE }}
           PUBLIC_POCKET_URL: ${{ vars.PUBLIC_POCKET_URL }}
         run: |
-          sshkey=$(mktemp)
-          trap "rm -rf \"$sshkey\"" exit
+          set -euo pipefail
 
-          # write SSH key and lock down permissions
-          echo -e "$SSH_PRIVATE_KEY" > "$sshkey"
+          sshkey=$(mktemp)
+          trap 'rm -f "$sshkey"' EXIT
+
+          printf '%s\n' "$SSH_PRIVATE_KEY" > "$sshkey"
           chmod 600 "$sshkey"
 
+          echo "BRANCH is: $BRANCH"
+
           service="build-deprived-website-$BRANCH"
-          sshargs="-o LogLevel=ERROR -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+          sshargs='-o LogLevel=ERROR -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
 
           echo "Starting systemd oneshot service: $service"
-          ssh -i "$sshkey" $sshargs deprivedbuilder@deprived.dev -t \
-            "sudo /run/current-system/sw/bin/systemctl start \"$service\""
 
-          echo "Build Log: $(ssh -i "$sshkey" $sshargs deprivedbuilder@deprived.dev "cat ~/latest_build.log")"
+          # No -t, no extra quotes around $service
+          ssh -i "$sshkey" $sshargs deprivedbuilder@deprived.dev \
+            "sudo /run/current-system/sw/bin/systemctl start $service"
+
+          echo "Build Log:"
+          ssh -i "$sshkey" $sshargs deprivedbuilder@deprived.dev \
+            "cat ~/latest_build.log"
+