diff --git a/.gitea/workflows/deploy-ci.yaml b/.gitea/workflows/deploy-ci.yaml
index 77b4439..6ce8ad1 100644
--- a/.gitea/workflows/deploy-ci.yaml
+++ b/.gitea/workflows/deploy-ci.yaml
@@ -75,50 +75,63 @@ jobs:
           set -eo pipefail
 
           mapfile -t repos < "$VALID_REPOS_FILE"
-          for idx in "${!repos[@]}"; do
-            repo_full=${repos[$idx]}
+          for repo_full in "${repos[@]}"; do
             owner=${repo_full%%/*}
             repo=${repo_full##*/}
-            url="$GITEA_API/repos/$owner/$repo/contents/$TEMPLATE_PATH"
+            api="$GITEA_API/repos/$owner/$repo"
 
+            # 1) figure out the default branch
+            default_branch=$(curl -sSL --fail -H "Authorization: token $TOKEN" \
+                              "$api" \
+                              | jq -r '.default_branch')
+
+            # 2) delete the latest non-v1.0.0 tag (but ignore if none)
             latest_tag=$(curl -sSL --fail -H "Authorization: token $TOKEN" \
-              "$GITEA_API/repos/$owner/$repo/tags" \
-              | jq -r '.[0].name // empty' )
+                         "$api/tags" \
+                         | jq -r '.[0].name // empty')
 
             if [[ -n "$latest_tag" && "$latest_tag" != "v1.0.0" ]]; then
-              curl -sSL --fail -X DELETE \
-                -H "Authorization: token $TOKEN" \
-                "$GITEA_API/repos/$owner/$repo/git/refs/tags/$latest_tag" \
-                >/dev/null
+              curl -sSL -X DELETE -H "Authorization: token $TOKEN" \
+                   "$api/git/refs/tags/$latest_tag" \
+                   && echo "🗑  Deleted tag $latest_tag" \
+                   || true  # ignore 404 / failures here
             fi
 
-            sha=$(curl -sSL --fail -H "Authorization: token $TOKEN" "$url" \
-                  | jq -r 'select(.sha != null).sha // empty')
+            # 3) fetch existing file SHA (if any)
+            url="$api/contents/$TEMPLATE_PATH"
+            sha=$(curl -sSL -H "Authorization: token $TOKEN" "$url" \
+                  | jq -r 'select(.sha != null).sha // empty' || true)
 
+            # 4) build our payload
             if [[ -z "$sha" ]]; then
+              action="Add"
               msg="Add CI from skins-template"
               payload=$(jq -nc \
                 --arg message "$msg" \
                 --arg content "$TEMPLATE_B64" \
-                '{message: $message, content: $content, branch: "main"}')
+                --arg branch "$default_branch" \
+                '{message: $message, content: $content, branch: $branch}')
             else
+              action="Update"
               msg="Update CI from skins-template"
               payload=$(jq -nc \
                 --arg message "$msg" \
                 --arg content "$TEMPLATE_B64" \
                 --arg sha "$sha" \
-                '{message: $message, content: $content, sha: $sha, branch: "main"}')
+                --arg branch "$default_branch" \
+                '{message: $message, content: $content, sha: $sha, branch: $branch}')
             fi
 
+            # 5) push it
             if curl -sSL --fail -X PUT \
-                -H "Authorization: token $TOKEN" \
-                -H "Content-Type: application/json" \
-                -d "$payload" \
-                "$url" \
-                >/dev/null; then
-              echo "✅ $owner/$repo"
+                  -H "Authorization: token $TOKEN" \
+                  -H "Content-Type: application/json" \
+                  -d "$payload" \
+                  "$url" \
+                  >/dev/null; then
+              echo "✅ $action $owner/$repo on branch $default_branch"
             else
-              echo "❌ $owner/$repo" >&2
+              echo "❌ $action failed for $owner/$repo → $url" >&2
             fi
 
           done