diff --git a/.forgejo/workflows/deploy-cfn.yml b/.forgejo/workflows/deploy-cfn.yml
index 98fb1d5..238acc0 100644
--- a/.forgejo/workflows/deploy-cfn.yml
+++ b/.forgejo/workflows/deploy-cfn.yml
@@ -65,55 +65,55 @@ jobs:
           run: |
             set -e
             if [ -z "$LOWER" ]; then
-            echo "LOWER secret is empty or not set; using individual secrets if present."
-            exit 0
+                echo "LOWER secret is empty or not set; using individual secrets if present."
+                exit 0
             fi
 
             python3 - <<'PY'
-      import json
-      import os
+              import json
+              import os
 
-      keys = [
-        "AWS_ACCESS_KEY_ID",
-        "AWS_SECRET_ACCESS_KEY",
-        "AWS_SESSION_TOKEN",
-        "AWS_DEFAULT_REGION",
-        "AWS_REGION",
-      ]
+              keys = [
+                  "AWS_ACCESS_KEY_ID",
+                  "AWS_SECRET_ACCESS_KEY",
+                  "AWS_SESSION_TOKEN",
+                  "AWS_DEFAULT_REGION",
+                  "AWS_REGION",
+              ]
 
-      lower = os.environ.get("LOWER", "")
-      parsed = {}
+              lower = os.environ.get("LOWER", "")
+              parsed = {}
 
-      # Format 1: JSON object
-      try:
-        obj = json.loads(lower)
-        if isinstance(obj, dict):
-          parsed = {str(k): str(v) for k, v in obj.items() if v is not None}
-      except Exception:
-        pass
+              # Format 1: JSON object
+              try:
+                  obj = json.loads(lower)
+                  if isinstance(obj, dict):
+                      parsed = {str(k): str(v) for k, v in obj.items() if v is not None}
+              except Exception:
+                  pass
 
-      # Format 2: dotenv style lines: KEY=VALUE
-      if not parsed:
-        for line in lower.splitlines():
-          s = line.strip()
-          if not s or s.startswith("#") or "=" not in s:
-            continue
-          k, v = s.split("=", 1)
-          parsed[k.strip()] = v.strip().strip('"').strip("'")
+              # Format 2: dotenv style lines: KEY=VALUE
+              if not parsed:
+                  for line in lower.splitlines():
+                      s = line.strip()
+                      if not s or s.startswith("#") or "=" not in s:
+                          continue
+                      k, v = s.split("=", 1)
+                      parsed[k.strip()] = v.strip().strip('"').strip("'")
 
-      env_path = os.environ["GITHUB_ENV"]
-      with open(env_path, "a", encoding="utf-8") as f:
-        for k in keys:
-          if os.environ.get(k):
-            continue
-          v = parsed.get(k)
-          if v:
-            f.write(f"{k}={v}\n")
+              env_path = os.environ["GITHUB_ENV"]
+              with open(env_path, "a", encoding="utf-8") as f:
+                  for k in keys:
+                      if os.environ.get(k):
+                          continue
+                      v = parsed.get(k)
+                      if v:
+                          f.write(f"{k}={v}\\n")
 
-        # Accept AWS_REGION in bundle as region source.
-        if not os.environ.get("AWS_DEFAULT_REGION") and parsed.get("AWS_REGION"):
-          f.write(f"AWS_DEFAULT_REGION={parsed['AWS_REGION']}\n")
-      PY
+                  # Accept AWS_REGION in bundle as region source.
+                  if not os.environ.get("AWS_DEFAULT_REGION") and parsed.get("AWS_REGION"):
+                      f.write(f"AWS_DEFAULT_REGION={parsed['AWS_REGION']}\\n")
+              PY
 
       - name: Check required AWS secrets
         run: |