diff --git a/.gitea/workflows/deploy-ci.yaml b/.gitea/workflows/deploy-ci.yaml
index 6ce8ad1..d47ba33 100644
--- a/.gitea/workflows/deploy-ci.yaml
+++ b/.gitea/workflows/deploy-ci.yaml
@@ -48,10 +48,19 @@ jobs:
                 for j in $(seq 0 $((repo_count - 1))); do
                   owner=$(echo "$repos_json" | jq -r ".[$j].owner.login")
                   repo=$(echo "$repos_json" | jq -r ".[$j].name")
-                  readme_json=$(curl -sSL -H "Authorization: token $TOKEN" "$GITEA_API/repos/$owner/$repo/contents/README.md" || echo "{}")
-                  content=$(echo "$readme_json" | jq -r .content 2>/dev/null | base64 -d 2>/dev/null || echo "")
+                  readme_json=$(curl -sSL -H "Authorization: token $TOKEN" \
+                    "$GITEA_API/repos/$owner/$repo/contents/README.md?ref=main" || echo "{}")
+                  content=$(echo "$readme_json" | jq -r .content 2>/dev/null \
+                              | base64 -d 2>/dev/null || echo "")
 
-                  if echo "$content" | grep -qE "^---$" && echo "$content" | grep -q "^gitea: none" && echo "$content" | grep -q "^include_toc: true" && echo "$content" | grep -q "^# Skins"; then
+                  content=$(echo "$content" \
+                    | sed $'1s/^\xEF\xBB\xBF//' \
+                    | sed 's/\r$//' )
+
+                  if echo "$content" | grep -qE '^\s*---\s*$' \
+                     && echo "$content" | grep -qE '^\s*gitea:\s*none\s*$' \
+                     && echo "$content" | grep -qE '^\s*include_toc:\s*true\s*$' \
+                     && echo "$content" | grep -qE '^\s*#\s*Skins'; then
                     echo "$owner/$repo" >> "$valid_repos_file"
                     echo "added $owner/$repo"
                     repo_matched=true
@@ -80,12 +89,10 @@ jobs:
             repo=${repo_full##*/}
             api="$GITEA_API/repos/$owner/$repo"
 
-            # 1) figure out the default branch
             default_branch=$(curl -sSL --fail -H "Authorization: token $TOKEN" \
                               "$api" \
                               | jq -r '.default_branch')
 
-            # 2) delete the latest non-v1.0.0 tag (but ignore if none)
             latest_tag=$(curl -sSL --fail -H "Authorization: token $TOKEN" \
                          "$api/tags" \
                          | jq -r '.[0].name // empty')
@@ -94,15 +101,13 @@ jobs:
               curl -sSL -X DELETE -H "Authorization: token $TOKEN" \
                    "$api/git/refs/tags/$latest_tag" \
                    && echo "🗑  Deleted tag $latest_tag" \
-                   || true  # ignore 404 / failures here
+                   || true
             fi
 
-            # 3) fetch existing file SHA (if any)
             url="$api/contents/$TEMPLATE_PATH"
             sha=$(curl -sSL -H "Authorization: token $TOKEN" "$url" \
                   | jq -r 'select(.sha != null).sha // empty' || true)
 
-            # 4) build our payload
             if [[ -z "$sha" ]]; then
               action="Add"
               msg="Add CI from skins-template"
@@ -122,7 +127,6 @@ jobs:
                 '{message: $message, content: $content, sha: $sha, branch: $branch}')
             fi
 
-            # 5) push it
             if curl -sSL --fail -X PUT \
                   -H "Authorization: token $TOKEN" \
                   -H "Content-Type: application/json" \