diff --git a/.forgejo/workflows/deploy-cfn.yml b/.forgejo/workflows/deploy-cfn.yml
index 18cc6b8..26a733a 100644
--- a/.forgejo/workflows/deploy-cfn.yml
+++ b/.forgejo/workflows/deploy-cfn.yml
@@ -20,25 +20,16 @@ jobs:
       - name: Ensure AWS CLI
         run: |
           if ! command -v aws >/dev/null 2>&1; then
-            if command -v apk >/dev/null 2>&1; then
-              apk add --no-cache aws-cli
-            elif command -v apt-get >/dev/null 2>&1; then
-              apt-get update && apt-get install -y awscli
-            else
-              echo "No supported package manager found for awscli install"
-              exit 1
-            fi
+            echo "aws CLI is not available on this runner. Install aws cli on the runner host/container and rerun."
+            exit 1
           fi
           aws --version
 
       - name: Check required AWS secrets
         run: |
-          for v in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION; do
-            if [ -z "${!v}" ]; then
-              echo "Missing required secret/env: $v"
-              exit 1
-            fi
-          done
+          [ -n "$AWS_ACCESS_KEY_ID" ] || { echo "Missing required secret/env: AWS_ACCESS_KEY_ID"; exit 1; }
+          [ -n "$AWS_SECRET_ACCESS_KEY" ] || { echo "Missing required secret/env: AWS_SECRET_ACCESS_KEY"; exit 1; }
+          [ -n "$AWS_DEFAULT_REGION" ] || { echo "Missing required secret/env: AWS_DEFAULT_REGION (mapped from secret LOWER)"; exit 1; }
           if [ -z "${AWS_SESSION_TOKEN}" ]; then
             echo "AWS_SESSION_TOKEN is empty. Proceeding with long-lived access keys."
           else