diff --git a/.env.example b/.env.example
index 34a15ba..9b3b90c 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,6 @@
 # TJWater Server 环境变量配置模板
 # 复制此文件为 .env 并填写实际值
+# CI/CD: 将生产 .env 的完整内容保存为 Gitea 仓库密钥 TJWATER_SERVER_ENV。
 ENVIRONMENT="production"
 NETWORK_NAME="tjwater"
 # ============================================
diff --git a/.gitea/workflows/package.yml b/.gitea/workflows/package.yml
index 86907da..2e5fb22 100644
--- a/.gitea/workflows/package.yml
+++ b/.gitea/workflows/package.yml
@@ -112,6 +112,54 @@ jobs:
             --username "${REGISTRY_USERNAME}" \
             --password-stdin
 
+      - name: Materialize runtime env file
+        env:
+          TJWATER_SERVER_ENV: ${{ secrets.TJWATER_SERVER_ENV }}
+        run: |
+          if [ -z "${TJWATER_SERVER_ENV}" ]; then
+            echo "Missing required repository secret: TJWATER_SERVER_ENV"
+            echo "Store the backend .env file content as a multiline Gitea repository secret named TJWATER_SERVER_ENV."
+            exit 1
+          fi
+
+          printf '%s\n' "${TJWATER_SERVER_ENV}" > .env
+          chmod 600 .env
+
+          required_env_keys=(
+            ENVIRONMENT
+            NETWORK_NAME
+            SECRET_KEY
+            ENCRYPTION_KEY
+            DB_NAME
+            DB_HOST
+            DB_PORT
+            DB_USER
+            DB_PASSWORD
+            TIMESCALEDB_DB_NAME
+            TIMESCALEDB_DB_HOST
+            TIMESCALEDB_DB_PORT
+            TIMESCALEDB_DB_USER
+            TIMESCALEDB_DB_PASSWORD
+            METADATA_DB_NAME
+            METADATA_DB_HOST
+            METADATA_DB_PORT
+            METADATA_DB_USER
+            METADATA_DB_PASSWORD
+            DATABASE_ENCRYPTION_KEY
+          )
+
+          missing_keys=()
+          for key in "${required_env_keys[@]}"; do
+            if ! grep -Eq "^[[:space:]]*${key}=" .env; then
+              missing_keys+=("$key")
+            fi
+          done
+
+          if [ "${#missing_keys[@]}" -gt 0 ]; then
+            echo "TJWATER_SERVER_ENV is missing required keys: ${missing_keys[*]}"
+            exit 1
+          fi
+
       - name: Build and Push Image
         run: |
           if [ -z "${IMAGE_NAME:-}" ] || [ -z "${IMAGE_TAG:-}" ]; then
@@ -165,6 +213,16 @@ jobs:
 
             webhook_url=$(echo "$webhook_url" | xargs)
 
+            if [ -z "$webhook_url" ]; then
+              echo "Missing required repository variable: DEPLOY_WEBHOOK_URL"
+              return 1
+            fi
+
+            if [ -z "$token" ]; then
+              echo "Missing required repository secret: DEPLOY_WEBHOOK_TOKEN"
+              return 1
+            fi
+
             echo "[$label] Calling webhook: $webhook_url"
 
             http_code=$(curl -sS -D /tmp/deploy_headers.txt -o /tmp/deploy_response.txt -w "%{http_code}" -X POST "$webhook_url" \