diff --git a/.github/workflows/fly-deploy.yml b/.github/workflows/fly-deploy.yml
index 7f9e0ee..29a31a8 100644
--- a/.github/workflows/fly-deploy.yml
+++ b/.github/workflows/fly-deploy.yml
@@ -89,7 +89,8 @@ jobs:
             "ai/anthropic/api_key:ANTHROPIC_API_KEY"
             "voice/inbound_phone_map:INBOUND_PHONE_VOICE_MAP"
           )
-          : > "$RUNNER_TEMP/secrets.env"
+          : > "$RUNNER_TEMP/secrets.bin"
+          count=0
           for pair in "${mapping[@]}"; do
             suffix="${pair%%:*}"
             name="${pair##*:}"
@@ -99,13 +100,17 @@ jobs:
               --query 'Parameter.Value' --output text)
             # Mask so the value never appears in subsequent log output.
             echo "::add-mask::$value"
-            # Single-quoted so JSON values pass through intact.
-            printf "%s=%q\n" "$name" "$value" >> "$RUNNER_TEMP/secrets.env"
+            # NUL-separated KEY=VALUE entries — preserves values
+            # literally (no shell escaping, no \n issues). The next
+            # step reads back with `read -d ''`.
+            printf '%s=%s\0' "$name" "$value" >> "$RUNNER_TEMP/secrets.bin"
+            count=$((count + 1))
           done
-          # Add the two static settings:
-          printf "%s=%q\n" "SERVER_DOMAIN" "$FLY_APP_NAME.fly.dev" >> "$RUNNER_TEMP/secrets.env"
-          printf "%s=%q\n" "VALIDATE_TWILIO_SIGNATURE" "true" >> "$RUNNER_TEMP/secrets.env"
-          echo "wrote $(wc -l < $RUNNER_TEMP/secrets.env) entries"
+          # Static settings:
+          printf '%s=%s\0' "SERVER_DOMAIN" "$FLY_APP_NAME.fly.dev" >> "$RUNNER_TEMP/secrets.bin"
+          printf '%s=%s\0' "VALIDATE_TWILIO_SIGNATURE" "true" >> "$RUNNER_TEMP/secrets.bin"
+          count=$((count + 2))
+          echo "wrote $count entries"
 
       - name: Setup flyctl
         # superfly/flyctl-actions/setup-flyctl@master left flyctl off
@@ -166,12 +171,16 @@ jobs:
           # --stage defers the implicit re-deploy until our explicit
           # deploy step. Otherwise fly secrets set triggers a second
           # rollout and we waste a build.
+          #
+          # Read NUL-separated KEY=VALUE pairs the previous step wrote.
+          # NUL separation + IFS= + -r preserves every byte (no shell
+          # escaping). Quote the array expansion so each pair stays a
+          # single argv entry to flyctl.
           args=()
-          while IFS= read -r line; do
-            args+=("$line")
-          done < "$RUNNER_TEMP/secrets.env"
-          # shellcheck disable=SC2068
-          fly secrets set ${args[@]} --stage -a "$FLY_APP_NAME"
+          while IFS= read -r -d '' pair; do
+            args+=("$pair")
+          done < "$RUNNER_TEMP/secrets.bin"
+          fly secrets set "${args[@]}" --stage -a "$FLY_APP_NAME"
 
       - name: Deploy
         env: