diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 6e0bc19..656911a 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -29,6 +29,9 @@ jobs:
         run: |
           set -euo pipefail
 
+          # Fail fast if sudo requires interactive password in runner context
+          sudo -n true
+
           # Deploy directory
           APP_DIR=/opt/skymoney
           mkdir -p $APP_DIR
@@ -57,11 +60,12 @@ jobs:
           bash ./scripts/validate-prod-db-target.sh
           PROD_DB_VOLUME_NAME="${PROD_DB_VOLUME_NAME:-skymoney_pgdata}" \
           ALLOW_EMPTY_PROD_VOLUME="${ALLOW_EMPTY_PROD_VOLUME:-0}" \
-          DOCKER_CMD="sudo docker" \
+          PROD_VOLUME_GUARD_TIMEOUT_SEC="${PROD_VOLUME_GUARD_TIMEOUT_SEC:-20}" \
+          DOCKER_CMD="sudo -n docker" \
           bash ./scripts/guard-prod-volume.sh
 
           # Build and start all services
-          sudo docker-compose -p skymoney up -d --build
+          sudo -n docker-compose -p skymoney up -d --build
 
           # Wait for database to be ready
           sleep 10
@@ -76,7 +80,7 @@ jobs:
           bash ./scripts/backup.sh
 
           # Run Prisma migrations inside the API container
-          sudo docker-compose -p skymoney exec -T api npx prisma migrate deploy
+          sudo -n docker-compose -p skymoney exec -T api npx prisma migrate deploy
 
       - name: Reload Nginx
         run: sudo systemctl reload nginx
diff --git a/scripts/guard-prod-volume.sh b/scripts/guard-prod-volume.sh
index b7c3aa5..d2dc8e9 100644
--- a/scripts/guard-prod-volume.sh
+++ b/scripts/guard-prod-volume.sh
@@ -4,6 +4,7 @@ set -euo pipefail
 VOLUME_NAME="${PROD_DB_VOLUME_NAME:-skymoney_pgdata}"
 ALLOW_EMPTY="${ALLOW_EMPTY_PROD_VOLUME:-0}"
 DOCKER_CMD="${DOCKER_CMD:-docker}"
+PROBE_TIMEOUT_SEC="${PROD_VOLUME_GUARD_TIMEOUT_SEC:-20}"
 
 if ! $DOCKER_CMD volume inspect "$VOLUME_NAME" >/dev/null 2>&1; then
   if [[ "$ALLOW_EMPTY" == "1" ]]; then
@@ -16,7 +17,7 @@ if ! $DOCKER_CMD volume inspect "$VOLUME_NAME" >/dev/null 2>&1; then
   exit 1
 fi
 
-if $DOCKER_CMD run --rm -v "${VOLUME_NAME}:/var/lib/postgresql/data" alpine sh -lc "test -f /var/lib/postgresql/data/PG_VERSION"; then
+if timeout "${PROBE_TIMEOUT_SEC}"s $DOCKER_CMD run --rm -v "${VOLUME_NAME}:/var/lib/postgresql/data" alpine sh -lc "test -f /var/lib/postgresql/data/PG_VERSION"; then
   echo "Production volume guard passed: '$VOLUME_NAME' contains PostgreSQL data."
   exit 0
 fi