diff --git a/.gitea/workflows/sync-public.yml b/.gitea/workflows/sync-public.yml
index 2ebc95e..ced569a 100644
--- a/.gitea/workflows/sync-public.yml
+++ b/.gitea/workflows/sync-public.yml
@@ -1,27 +1,22 @@
-name: Diagnose SSH to Flux-oss
+name: Sync public mirror
 on:
-  workflow_dispatch:
   push:
-    branches: [ main ]
+    branches: [ main ]   # change if your default branch is different
 
 jobs:
-  diag:
+  sync:
     runs-on: ubuntu-latest
-    steps:
-      - name: Print runner info
-        run: |
-          uname -a
-          df -h
-          free -h || true
+    container: alpine:3.20   # small & fast container; reduces system load
 
-      - name: Ensure secret is present
-        env:
-          SSH_KEY: ${{ secrets.PUBLIC_REPO_SSH_KEY }}
+    steps:
+      - name: Install tools (bash, rsync, git, openssh)
         run: |
-          if [ -z "$SSH_KEY" ]; then
-            echo "Secret PUBLIC_REPO_SSH_KEY is missing"; exit 1
-          fi
-          echo "Secret length: ${#SSH_KEY}"
+          apk add --no-cache bash rsync git openssh-client
+
+      - name: Checkout private repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Prepare SSH
         env:
@@ -31,13 +26,29 @@ jobs:
           mkdir -p ~/.ssh
           echo "$SSH_KEY" > ~/.ssh/id_sync
           chmod 600 ~/.ssh/id_sync
-          printf 'Host gitea-lan\n  HostName 192.168.1.15\n  Port 22\n  User git\n  IdentityFile ~/.ssh/id_sync\n  IdentitiesOnly yes\n' >> ~/.ssh/config
+          printf 'Host 192.168.1.15\n  HostName 192.168.1.15\n  Port 22\n  User git\n  IdentityFile ~/.ssh/id_sync\n  IdentitiesOnly yes\n' >> ~/.ssh/config
           ssh-keyscan -p 22 192.168.1.15 >> ~/.ssh/known_hosts
 
-      - name: Test SSH auth to server
+      - name: Clone public repo
         run: |
-          ssh -T gitea-lan || true
+          git clone --depth 1 ssh://git@192.168.1.15:22/Bausager/Flux-oss.git /tmp/public
 
-      - name: Test Git access to Flux-oss
+      - name: Sync files (snapshot, safe)
         run: |
-          git ls-remote ssh://gitea-lan/Bausager/Flux-oss.git
+          # Copy into public working tree and delete removed files
+          rsync -a --delete \
+            --exclude '.git' \
+            --exclude '.gitea' \
+            ./ /tmp/public/
+
+          cd /tmp/public
+          git config user.name  "Gitea CI"
+          git config user.email "ci@bausager.org"
+
+          if ! git diff --quiet; then
+            git add -A
+            git commit -m "Sync from Flux (private)"
+            git push origin HEAD:main
+          else
+            echo "No changes to push."
+          fi