diff --git a/.gitea/workflows/production.yaml b/.gitea/workflows/production.yaml
index 7258700..e44722b 100644
--- a/.gitea/workflows/production.yaml
+++ b/.gitea/workflows/production.yaml
@@ -95,6 +95,7 @@ jobs:
           sparse-checkout: |
             scripts/
             config/
+            secrets/app/google-wif-config.json
             docker-compose.yml
             docker-compose.blue-green.yml
             docker-compose.prod.yml
@@ -108,6 +109,11 @@ jobs:
           cp "$GITHUB_WORKSPACE/docker-compose.yml" "$DEPLOY_PATH/"
           cp "$GITHUB_WORKSPACE/docker-compose.blue-green.yml" "$DEPLOY_PATH/"
           cp "$GITHUB_WORKSPACE/docker-compose.prod.yml" "$DEPLOY_PATH/"
+          # WIF credential config (not a secret -- references Auth0 token script path)
+          # Remove any Docker-created directory artifact from failed bind mounts
+          rm -rf "$DEPLOY_PATH/secrets/app/google-wif-config.json"
+          mkdir -p "$DEPLOY_PATH/secrets/app"
+          cp "$GITHUB_WORKSPACE/secrets/app/google-wif-config.json" "$DEPLOY_PATH/secrets/app/"
 
       - name: Generate logging configuration
         run: |
diff --git a/.gitea/workflows/staging.yaml b/.gitea/workflows/staging.yaml
index 1d4644b..51fb774 100644
--- a/.gitea/workflows/staging.yaml
+++ b/.gitea/workflows/staging.yaml
@@ -118,6 +118,11 @@ jobs:
           rsync -av --delete "$GITHUB_WORKSPACE/scripts/" "$DEPLOY_PATH/scripts/"
           cp "$GITHUB_WORKSPACE/docker-compose.yml" "$DEPLOY_PATH/"
           cp "$GITHUB_WORKSPACE/docker-compose.staging.yml" "$DEPLOY_PATH/"
+          # WIF credential config (not a secret -- references Auth0 token script path)
+          # Remove any Docker-created directory artifact from failed bind mounts
+          rm -rf "$DEPLOY_PATH/secrets/app/google-wif-config.json"
+          mkdir -p "$DEPLOY_PATH/secrets/app"
+          cp "$GITHUB_WORKSPACE/secrets/app/google-wif-config.json" "$DEPLOY_PATH/secrets/app/"
 
       - name: Generate logging configuration
         run: |