diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 4e75274..954e043 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -50,18 +50,18 @@ jobs:
             --thresholds ops/performance/latency_thresholds.json \
             --iterations 600
 
-      # - name: Login to Gitea registry
-      #   if: github.event_name != 'pull_request'
-      #   uses: docker/login-action@v3
-      #   with:
-      #     registry: git.allucanget.biz
-      #     username: ${{ secrets.REGISTRY_USERNAME }}
-      #     password: ${{ secrets.REGISTRY_TOKEN }}
+      - name: Login to Gitea registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: git.allucanget.biz
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
-      # - name: Build and push image
-      #   if: github.event_name != 'pull_request'
-      #   uses: docker/build-push-action@v6
-      #   with:
-      #     context: .
-      #     push: true
-      #     tags: git.allucanget.biz/${{ secrets.REGISTRY_NAMESPACE }}/arbitrade:${{ github.sha }}
+      - name: Build and push image
+        if: github.event_name != 'pull_request'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: git.allucanget.biz/allucanget/arbitrade:latest
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4edc7b9..be09aa9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@
 - Optimized dashboard metrics aggregation to use DuckDB SQL aggregates/quantiles instead of Python row scans.
 - Added backtesting usage and replay format documentation to README.
 - Dashboard controls now surface tradable pairs and strategy config snapshot values.
+- CI now publishes `git.allucanget.biz/allucanget/arbitrade:latest`, and README now documents Coolify image deployment with runtime environment variables managed in Coolify.
 
 ### Removed
 
diff --git a/README.md b/README.md
index 11e64b5..2286834 100644
--- a/README.md
+++ b/README.md
@@ -265,24 +265,24 @@ Important:
 
 - [docker-compose.yml](docker-compose.yml) uses `git.allucanget.biz/allucanget/arbitrade:latest` as the default image reference.
 
-## Coolify Deployment (Nixpacks)
+## Coolify Deployment (Prebuilt Image)
 
-Use this when deploying directly from Git in Coolify without the Dockerfile path.
+Use this when deploying from the image published by CI instead of building from Git inside Coolify.
 
 ### 1) Create application in Coolify
 
-- In Coolify, create a new `Application` from your Git repository.
-- Branch: `main` (or your release branch).
-- Build Pack: `Nixpacks`.
-- Root Directory: `.`
+- In Coolify, create a new `Application` using `Docker Image` / `Public Image` / `Private Registry Image`.
+- Image: `git.allucanget.biz/allucanget/arbitrade:latest`
+- Registry: `git.allucanget.biz`
+- If registry auth is required, configure the same registry credentials in Coolify.
 
 ### 2) Configure build and start behavior
 
 Set these in Coolify application settings:
 
-- Build Command: leave empty (let Nixpacks auto-detect Python).
-- Install Command: leave empty (Nixpacks will install from `pyproject.toml`, which reads `requirements/latest-runtime.in`).
-- Start Command: `python -m arbitrade.main`
+- Build Command: leave empty.
+- Install Command: leave empty.
+- Start Command: leave empty unless you explicitly want to override the image default.
 - Port: `8000`
 
 ### 3) Configure health check and networking
@@ -318,9 +318,11 @@ Recommended:
 - Configure `FERNET_KEY` in Coolify secrets (do not commit it).
 - Keep all exchange keys/secrets in Coolify secret variables only.
 
+Coolify should own runtime configuration through environment variables. CI only publishes the image.
+
 ### 6) Deploy and verify
 
-- Trigger deploy in Coolify.
+- Trigger deploy in Coolify after CI publishes `git.allucanget.biz/allucanget/arbitrade:latest`.
 - Verify app boot logs show startup completed.
 - Verify `GET /health` returns success on deployed URL.
 
@@ -334,13 +336,6 @@ Required Gitea Actions secrets:
 
 - `REGISTRY_USERNAME`
 - `REGISTRY_TOKEN`
-- `REGISTRY_NAMESPACE`
-
-Expected namespace now likely:
-
-```text
-allucanget
-```
 
 Example registry login:
 
@@ -351,7 +346,7 @@ docker login git.allucanget.biz
 Example pushed image tag shape:
 
 ```text
-git.allucanget.biz/allucanget/arbitrade:<tag>
+git.allucanget.biz/allucanget/arbitrade:latest
 ```
 
 ## Project Layout
@@ -416,7 +411,7 @@ Hardening checklist:
 - Use least-privilege Kraken API keys: query + trade only; never enable withdrawal.
 - Rotate API keys immediately if secret scan flags a potential exposure.
 - Keep dashboard auth enabled in non-local environments and avoid default/shared credentials.
-- Run `pip-audit --skip-editable` in CI; treat vulnerability findings as release blockers.
+- Run `pip-audit -r requirements/latest-runtime.in` in CI; treat vulnerability findings as release blockers.
 - Run `python scripts/security_scan.py` before release and after major merges.
 - Store secrets in environment/secret manager; never commit `.env` or key material.