diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index 8254053..e15b6bc 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -23,6 +23,8 @@ jobs:
         run: |
           set -euo pipefail
 
+          echo "SSH setup: host=$SERVICE_HOST"
+
           if ! command -v ssh >/dev/null 2>&1; then
             if command -v apk >/dev/null 2>&1; then
               apk add --no-cache openssh-client
@@ -38,10 +40,21 @@ jobs:
           : "${SERVICE_HOST:?Missing secret SERVICE_HOST}"
           : "${SERVICE_SSH_KEY:?Missing secret SERVICE_SSH_KEY}"
 
+          echo "Checking TCP/22 reachability..."
+          timeout 5 bash -lc "</dev/tcp/$SERVICE_HOST/22" || {
+            echo "ERROR: Cannot reach $SERVICE_HOST:22 from runner container" >&2
+            exit 1
+          }
+
           mkdir -p ~/.ssh
           printf '%s\n' "$SERVICE_SSH_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan -H "$SERVICE_HOST" >> ~/.ssh/known_hosts
+
+          echo "Fetching host key (ssh-keyscan)..."
+          ssh-keyscan -T 5 -H "$SERVICE_HOST" >> ~/.ssh/known_hosts || {
+            echo "ERROR: ssh-keyscan failed for $SERVICE_HOST" >&2
+            exit 1
+          }
 
       # Deploy app locally on the runner host
       - name: Deploy App (Docker Compose)