diff --git a/.gitea/workflows/build-image.yml b/.gitea/workflows/build-image.yml
index 95f715f..eb75846 100644
--- a/.gitea/workflows/build-image.yml
+++ b/.gitea/workflows/build-image.yml
@@ -97,7 +97,10 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     steps:
-      # deploy job 跑在独立 runner 容器上，凭据不从 build job 继承，必须再登一次
+      # 不再 clone nas-infra：deploy 直接操作 NAS 上 /volume1/docker/compose/obsidian-mcp/。
+      # 该目录由 gitea-runner 挂载暴露给 runner（host 模式 + bind mount）。
+      # .env.shared 也在那一层（../.env.shared），不需要再注入凭据。
+      # nas-infra 的 compose 改动靠 NAS 上手动 `git pull` 同步，不进 CI 链路。
       - name: Login to Gitea Container Registry
         uses: docker/login-action@v3
         with:
@@ -106,26 +109,11 @@ jobs:
           password: ${{ secrets.PACKAGES_TOKEN }}
 
       - name: Pull and restart obsidian-mcp
-        env:
-          NAS_INFRA_TOKEN: ${{ secrets.NAS_INFRA_TOKEN }}
         run: |
           set -e
-
-          TMPDIR=$(mktemp -d)
-          trap 'rm -rf "$TMPDIR"' EXIT
-
-          if [ -n "$NAS_INFRA_TOKEN" ]; then
-            CLONE_URL="https://x-access-token:${NAS_INFRA_TOKEN}@git.zhengchentao.win/dev/nas-infra.git"
-          else
-            CLONE_URL="https://git.zhengchentao.win/dev/nas-infra.git"
-          fi
-
-          git clone --depth 1 "$CLONE_URL" "$TMPDIR/nas-infra"
-          cd "$TMPDIR/nas-infra/obsidian-mcp"
-
+          cd /volume1/docker/compose/obsidian-mcp
           docker compose pull
           docker compose up -d
-
           sleep 3
           docker compose ps
           docker compose logs --tail=30 obsidian-mcp