diff --git a/.gitea/workflows/check-renovate.yml.hold b/.gitea/workflows/check-renovate.yml.hold
deleted file mode 100644
index 1721d46b..00000000
--- a/.gitea/workflows/check-renovate.yml.hold
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Check Renovate Updates
-
-on:
-  pull_request:
-    branches:
-      - main
-    types: [opened, synchronize, reopened]
-    paths:
-      - 'docker-compose.yml'
-
-jobs:
-  validate:
-    runs-on: ubuntu-latest
-    if: ${{ contains(toLower(github.event.pull_request.user.login), 'renovate') }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Validate docker-compose.yml
-        run: docker compose config
diff --git a/.gitea/workflows/renovate-pr-deploy.yml b/.gitea/workflows/renovate-pr-deploy.yml
new file mode 100644
index 00000000..c6f0d1d4
--- /dev/null
+++ b/.gitea/workflows/renovate-pr-deploy.yml
@@ -0,0 +1,107 @@
+name: Deploy Changed Services
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+jobs:
+  deploy:
+    if: |
+      github.event.pull_request.merged == true &&
+      github.event.pull_request.user.login == 'renovate-bot'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Detect Renovate update type
+        id: detect-update
+        run: |
+          body="${{ github.event.pull_request.body }}"
+          echo "PR body: $body"
+
+          if echo "$body" | grep -qE 'Update\s+(patch|minor|major|digest)'; then
+            echo "update=true" >> $GITHUB_OUTPUT
+          else
+            echo "update=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Stop if update not patch/minor/major/digest
+        if: steps.detect-update.outputs.update != 'true'
+        run: |
+          echo "::warning::This PR does not involve patch/minor/major/digest update. Skipping deployment."
+          exit 0
+
+      - name: Get changed services from docker-compose.yml
+        id: services
+        run: |
+          # Fetch previous commit to compare
+          git fetch origin ${{ github.event.before }} --depth=1
+
+          # Get all image names added/changed in docker-compose.yml
+          images=$(git diff ${{ github.event.before }} ${{ github.sha }} -- docker-compose.yml \
+            | grep -E '^\+.*image:' \
+            | sed -E 's/.*image:[[:space:]]*//g' \
+            | awk -F: '{print $1}' \
+            | sort -u)
+
+          # Map images to service names using yq
+          services=""
+          for img in $images; do
+            svc=$(yq e ".services | with_entries(select(.value.image | startswith(\"$img\"))) | keys | .[]" docker-compose.yml)
+            services="$services $svc"
+          done
+
+          # Deduplicate and trim
+          services=$(echo $services | tr ' ' '\n' | sort -u | xargs)
+          echo "services=$services" >> $GITHUB_OUTPUT
+
+      - name: Pull images for modified services
+        if: steps.services.outputs.services != ''
+        run: |
+          services="${{ steps.services.outputs.services }}"
+          echo "Pulling images for services: $services"
+          for svc in $services; do
+            docker compose pull $svc || echo "Failed to pull $svc, continuing..."
+          done
+
+      - name: Docker Compose Deployment
+        uses: hoverkraft-tech/compose-action@v2.2.0
+        env:
+          DOCKER_HOST: tcp://dockerproxy:2375
+        with:
+          services: |
+            ${{ steps.services.outputs.services }}
+          up-flags: -d --remove-orphans
+          compose-flags: --profile rinoa-apps
+
+      - name: Docker Compose Healthcheck
+        uses: jaracogmbh/docker-compose-health-check-action@v1.0.0
+        with:
+          max-retries: 30
+          retry-interval: 10
+          compose-file: "docker-compose.yml"
+          skip-exited: "true"
+          skip-no-healthcheck: "true"
+        continue-on-error: true
+        id: health
+
+      - name: Deployment Summary
+        if: always()
+        run: |
+          echo "### 🚀 Renovate Patch Deployment Summary" >> $GITHUB_STEP_SUMMARY
+
+          if [[ -z "${{ steps.services.outputs.services }}" ]]; then
+            echo "- No services changed in this patch update." >> $GITHUB_STEP_SUMMARY
+            exit 0
+          fi
+
+          echo "- Updated services: \`${{ steps.services.outputs.services }}\`" >> $GITHUB_STEP_SUMMARY
+
+          if [[ "${{ steps.health.outcome }}" == "success" ]]; then
+            echo "- ✅ All services passed health checks." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- ⚠️ Some services failed health checks. Check logs above for details." >> $GITHUB_STEP_SUMMARY
+          fi
diff --git a/.gitea/workflows/renovate-pr-deploy.yml.hold b/.gitea/workflows/renovate-pr-deploy.yml.hold
deleted file mode 100644
index eaea2af5..00000000
--- a/.gitea/workflows/renovate-pr-deploy.yml.hold
+++ /dev/null
@@ -1,98 +0,0 @@
-name: Deploy Renovate Updates
-
-on:
-  workflow_run:
-    workflows: ["Check Renovate Updates"]
-    types:
-      - completed
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    if: >
-      ${{
-        github.event.workflow_run.conclusion == 'success' &&
-        contains(toLower(github.event.workflow_run.head_commit.author.name), 'renovate')
-      }}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # we need full history to compute merge-base
-
-      - name: Set up Docker
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to Docker (if needed)
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Install yq
-        run: |
-          sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
-          sudo chmod +x /usr/bin/yq
-
-      - name: Get modified services including dependencies
-        id: modified_services
-        run: |
-          echo "Finding modified services in docker-compose.yml..."
-
-          # Find merge-base with previous main commit
-          BASE_COMMIT=$(git merge-base HEAD HEAD~1)
-
-          # Extract changed services between merge-base and HEAD
-          CHANGED_SERVICES=$(git diff --name-only $BASE_COMMIT HEAD -- docker-compose.yml \
-            | xargs -r -I{} yq e '.services | keys | .[]' {})
-
-          if [ -z "$CHANGED_SERVICES" ]; then
-            echo "No services changed, skipping."
-            exit 0
-          fi
-
-          declare -A VISITED
-          ALL_DEPLOY=()
-
-          get_deps() {
-            local service=$1
-            if [[ -n "${VISITED[$service]}" ]]; then
-              return
-            fi
-            VISITED[$service]=1
-            ALL_DEPLOY+=("$service")
-
-            # Array style depends_on
-            deps=$(yq e ".services.\"$service\".depends_on[]?" docker-compose.yml 2>/dev/null)
-            for dep in $deps; do
-              get_deps "$dep"
-            done
-
-            # Mapping style depends_on (with condition)
-            deps_map=$(yq e ".services.\"$service\".depends_on | keys[]" docker-compose.yml 2>/dev/null)
-            for dep in $deps_map; do
-              get_deps "$dep"
-            done
-          }
-
-          for svc in $CHANGED_SERVICES; do
-            get_deps "$svc"
-          done
-
-          echo "Services to deploy: ${ALL_DEPLOY[@]}"
-          echo "modified_services=${ALL_DEPLOY[@]}" >> $GITHUB_ENV
-
-      - name: Pull images for modified services
-        if: env.modified_services != ''
-        run: |
-          echo "Pulling images for services: $modified_services"
-          for svc in $modified_services; do
-            docker compose pull $svc || echo "Failed to pull $svc, continuing..."
-          done
-
-      - name: Deploy updated services
-        if: env.modified_services != ''
-        run: |
-          echo "Deploying services: $modified_services"
-          docker compose up -d $modified_services