diff --git a/.gitea/workflows/deploy-socialize.yml b/.gitea/workflows/deploy-socialize.yml
index 6949194..8afb6a3 100644
--- a/.gitea/workflows/deploy-socialize.yml
+++ b/.gitea/workflows/deploy-socialize.yml
@@ -47,19 +47,29 @@ jobs:
           DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
           DEPLOY_SSH_PRIVATE_KEY_B64: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY_B64 }}
           POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
+          SOCIALIZE_IMAGE_TAG: ${{ gitea.sha }}
         run: |
           : "${POSTGRES_PASSWORD:?POSTGRES_PASSWORD secret is required}"
+          : "${SOCIALIZE_IMAGE_TAG:?SOCIALIZE_IMAGE_TAG is required}"
 
           mkdir -p ~/.ssh
           printf '%s' "$DEPLOY_SSH_PRIVATE_KEY_B64" | base64 -d > ~/.ssh/deploy_key
           chmod 600 ~/.ssh/deploy_key
 
+          write_env_value() {
+            key="$1"
+            value="$2"
+            escaped_value="$(printf '%s' "$value" | sed "s/'/'\\\\''/g")"
+            printf "%s='%s'\n" "$key" "$escaped_value"
+          }
+
           deploy_env="$(mktemp)"
           {
-            printf 'POSTGRES_USER=sa\n'
-            printf 'POSTGRES_PASSWORD=%s\n' "$POSTGRES_PASSWORD"
-            printf 'POSTGRES_DB=socialize\n'
-            printf 'ASPNETCORE_ENVIRONMENT=Production\n'
+            write_env_value POSTGRES_USER sa
+            write_env_value POSTGRES_PASSWORD "$POSTGRES_PASSWORD"
+            write_env_value POSTGRES_DB socialize
+            write_env_value ASPNETCORE_ENVIRONMENT Production
+            write_env_value SOCIALIZE_IMAGE_TAG "$SOCIALIZE_IMAGE_TAG"
           } > "$deploy_env"
 
           scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$deploy_env" "$DEPLOY_USER@$DEPLOY_HOST:/srv/prod/socialize/.env"