diff --git a/.forgejo/workflows/deploy-cfn.yml b/.forgejo/workflows/deploy-cfn.yml
index 8c0117e..7af6a3d 100644
--- a/.forgejo/workflows/deploy-cfn.yml
+++ b/.forgejo/workflows/deploy-cfn.yml
@@ -8,6 +8,11 @@ on:
 jobs:
   deploy:
     runs-on: nas-safe
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
+      AWS_DEFAULT_REGION: ${{ secrets.LOWER }}
 
     steps:
       - uses: actions/checkout@v4
@@ -26,23 +31,24 @@ jobs:
           fi
           aws --version
 
+      - name: Check required AWS secrets
+        run: |
+          for v in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_DEFAULT_REGION; do
+            if [ -z "${!v}" ]; then
+              echo "Missing required secret/env: $v"
+              exit 1
+            fi
+          done
+
       - name: Verify AWS identity
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: ${{ secrets.LOWER }}
         run: aws sts get-caller-identity
 
       - name: Validate CFT
-        env:
-          AWS_DEFAULT_REGION: ${{ secrets.LOWER }}
         run: |
           aws cloudformation validate-template \
             --template-body file://infra/hello-lambda.yml
 
       - name: Deploy CFT
-        env:
-          AWS_DEFAULT_REGION: ${{ secrets.LOWER }}
         run: |
           aws cloudformation deploy \
             --stack-name hello-lambda-stack \