diff --git a/.woodpecker/ci.yml b/.woodpecker/ci.yml
index ed65fd4..14d3c13 100644
--- a/.woodpecker/ci.yml
+++ b/.woodpecker/ci.yml
@@ -337,3 +337,35 @@ steps:
       - security-trivy-api
       - security-trivy-orchestrator
       - security-trivy-web
+
+  # ─── Deploy to Docker Swarm (main only) ─────────────────────
+
+  deploy-swarm:
+    image: alpine:3
+    environment:
+      SSH_PRIVATE_KEY:
+        from_secret: ssh_private_key
+      SSH_KNOWN_HOSTS:
+        from_secret: ssh_known_hosts
+    commands:
+      - apk add --no-cache openssh-client
+      - |
+        set -e
+        # Setup SSH
+        mkdir -p ~/.ssh
+        echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+        chmod 600 ~/.ssh/known_hosts
+        echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+
+        # Deploy to swarm
+        echo "🚀 Deploying to Docker Swarm..."
+        ssh -o StrictHostKeyChecking=no mosaic@10.1.1.45 \
+          "cd /opt/mosaic-stack && \
+           docker login git.mosaicstack.dev -u \$(echo \$GITEA_USER) -p \$GITEA_TOKEN || true && \
+           docker stack deploy -c docker-compose.yml mosaic"
+    when:
+      - branch: [main]
+        event: [push, manual, tag]
+    depends_on:
+      - link-packages