diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 21a2034..c7a6fd9 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -134,9 +134,18 @@ jobs:
             registry.meghsakha.com/breakpilot/portal:latest
             registry.meghsakha.com/breakpilot/portal:sha-${{ github.sha }}
       - name: trigger orca redeploy
+        # Signs the POST with HMAC-SHA256 over the JSON body using the
+        # secret orca generated when the webhook was registered. Orca's
+        # endpoint is publicly reachable on the master, so the signature
+        # gates who can fire a deploy.
+        env:
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
         run: |
+          BODY='{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}'
+          SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')"
           curl -ksSf -X POST \
             -H "Content-Type: application/json" \
             -H "X-GitHub-Event: push" \
-            -d '{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}' \
+            -H "X-Hub-Signature-256: $SIG" \
+            -d "$BODY" \
             https://46.225.100.82:6880/api/v1/webhooks/github