diff --git a/.forgejo/workflows/deploy-cfn.yml b/.forgejo/workflows/deploy-cfn.yml
index 47e2279..98fb1d5 100644
--- a/.forgejo/workflows/deploy-cfn.yml
+++ b/.forgejo/workflows/deploy-cfn.yml
@@ -12,7 +12,8 @@ jobs:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
-      AWS_DEFAULT_REGION: ${{ secrets.LOWER }}
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
+      LOWER: ${{ secrets.LOWER }}
 
     steps:
       - name: Prepare source
@@ -60,11 +61,65 @@ jobs:
           echo "Unable to install aws CLI on this runner."
           exit 1
 
+          - name: Parse LOWER bundled secret
+          run: |
+            set -e
+            if [ -z "$LOWER" ]; then
+            echo "LOWER secret is empty or not set; using individual secrets if present."
+            exit 0
+            fi
+
+            python3 - <<'PY'
+      import json
+      import os
+
+      keys = [
+        "AWS_ACCESS_KEY_ID",
+        "AWS_SECRET_ACCESS_KEY",
+        "AWS_SESSION_TOKEN",
+        "AWS_DEFAULT_REGION",
+        "AWS_REGION",
+      ]
+
+      lower = os.environ.get("LOWER", "")
+      parsed = {}
+
+      # Format 1: JSON object
+      try:
+        obj = json.loads(lower)
+        if isinstance(obj, dict):
+          parsed = {str(k): str(v) for k, v in obj.items() if v is not None}
+      except Exception:
+        pass
+
+      # Format 2: dotenv style lines: KEY=VALUE
+      if not parsed:
+        for line in lower.splitlines():
+          s = line.strip()
+          if not s or s.startswith("#") or "=" not in s:
+            continue
+          k, v = s.split("=", 1)
+          parsed[k.strip()] = v.strip().strip('"').strip("'")
+
+      env_path = os.environ["GITHUB_ENV"]
+      with open(env_path, "a", encoding="utf-8") as f:
+        for k in keys:
+          if os.environ.get(k):
+            continue
+          v = parsed.get(k)
+          if v:
+            f.write(f"{k}={v}\n")
+
+        # Accept AWS_REGION in bundle as region source.
+        if not os.environ.get("AWS_DEFAULT_REGION") and parsed.get("AWS_REGION"):
+          f.write(f"AWS_DEFAULT_REGION={parsed['AWS_REGION']}\n")
+      PY
+
       - name: Check required AWS secrets
         run: |
           [ -n "$AWS_ACCESS_KEY_ID" ] || { echo "Missing required secret/env: AWS_ACCESS_KEY_ID"; exit 1; }
           [ -n "$AWS_SECRET_ACCESS_KEY" ] || { echo "Missing required secret/env: AWS_SECRET_ACCESS_KEY"; exit 1; }
-          [ -n "$AWS_DEFAULT_REGION" ] || { echo "Missing required secret/env: AWS_DEFAULT_REGION (mapped from secret LOWER)"; exit 1; }
+          [ -n "$AWS_DEFAULT_REGION" ] || { echo "Missing required secret/env: AWS_DEFAULT_REGION"; exit 1; }
           if [ -z "${AWS_SESSION_TOKEN}" ]; then
             echo "AWS_SESSION_TOKEN is empty. Proceeding with long-lived access keys."
           else