diff --git a/deploy.sh b/deploy.sh
index 6c30a75..9756544 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -79,15 +79,17 @@ else
 fi
 
 # ── 5. Git pull ───────────────────────────────────────────────────────────────
-log "Pulling latest code..."
+# Run git as the invoking user (not root) so SSH keys work
+GIT_USER="${SUDO_USER:-$(whoami)}"
+log "Pulling latest code (as $GIT_USER)..."
 cd "$APP_DIR"
-git fetch origin
+sudo -u "$GIT_USER" git fetch origin
 LOCAL=$(git rev-parse HEAD)
 REMOTE=$(git rev-parse '@{u}')
 if [[ "$LOCAL" == "$REMOTE" ]]; then
   ok "Already up to date ($(git rev-parse --short HEAD))"
 else
-  git pull --ff-only || die "git pull failed — local changes detected. Stash or reset them first."
+  sudo -u "$GIT_USER" git pull --ff-only || die "git pull failed — local changes detected. Stash or reset them first."
   ok "Updated to $(git rev-parse --short HEAD)"
 fi