diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index daa1f75..e0c264e 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -3,6 +3,10 @@
 # 需挂载 /var/run/docker.sock。
 #
 # 说明：NODEJS_ORG_MIRROR 在 act_runner 中常被忽略/不生效；用镜像自带 Node 即可绕过。
+#
+# 部署（推送到 main/master 时）：在仓库「工作流 → 密钥」中配置
+#   SSH_PRIVATE_KEY  DEPLOY_HOST  DEPLOY_USER  DEPLOY_PATH
+# DEPLOY_PATH 为 Nginx root，如 /var/www/chat-one-web；rsync 会把 dist/ 下文件同步到该目录。
 
 name: CI
 
@@ -51,3 +55,26 @@ jobs:
 
       - name: Build
         run: yarn build
+
+      - name: Install rsync and OpenSSH client
+        if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
+        run: apt-get update && apt-get install -y --no-install-recommends rsync openssh-client
+
+      - name: Deploy to Nginx (rsync)
+        if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          DEPLOY_HOST: ${{ vars.DEPLOY_HOST }}
+          DEPLOY_USER: ${{ vars.DEPLOY_USER }}
+          DEPLOY_PATH: ${{ vars.DEPLOY_PATH }}
+        run: |
+          set -e
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_deploy
+          chmod 600 ~/.ssh/id_deploy
+          ssh-keyscan -H "$DEPLOY_HOST" >> ~/.ssh/known_hosts
+          rsync -avz --delete \
+            -e "ssh -i ~/.ssh/id_deploy -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes" \
+            dist/ \
+            "${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}/chat-one-web"