diff --git a/.github/workflows/testnet-deployment.yml b/.github/workflows/testnet-deployment.yml
index 5837a035..eb1a7adb 100644
--- a/.github/workflows/testnet-deployment.yml
+++ b/.github/workflows/testnet-deployment.yml
@@ -8,12 +8,12 @@ on:
   push:
     branches: [main]
     paths:
-      - ".github/workflows/deploy-testnet.yml"
+      - ".github/workflows/testnet-deployment.yml"
       - "contracts/**"
       - "frontend/**"
   pull_request:
     paths:
-      - ".github/workflows/deploy-testnet.yml"
+      - ".github/workflows/testnet-deployment.yml"
       - "contracts/**"
 
 env:
@@ -27,7 +27,6 @@ concurrency:
 jobs:
   deploy-contracts:
     name: Deploy contracts
-    if: false # Disable contracts deployment for now
     runs-on: ubuntu-latest
     steps:
       - name: Git checkout
@@ -49,6 +48,7 @@ jobs:
 
       - name: Install dependencies
         run: pnpm install
+        working-directory: ./contracts
 
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@v1
diff --git a/contracts/utils/deploy-cli.ts b/contracts/utils/deploy-cli.ts
index a7db6e93..f8818327 100644
--- a/contracts/utils/deploy-cli.ts
+++ b/contracts/utils/deploy-cli.ts
@@ -156,9 +156,13 @@ Deploying Liquity contracts with the following settings:
     `broadcast/DeployLiquity2.s.sol/${options.chainId}/run-latest.json`,
   );
 
+  // XXX hotfix: we were leaking Github secrets in "deployer"
+  // TODO: check if "deployer" is a private key, and calculate its address and use it instead?
+  const { deployer, ...safeOptions } = options;
+
   // write env file
   await fs.writeJson("deployment-context-latest.json", {
-    options,
+    options: safeOptions,
     deployedContracts: Object.fromEntries(deployedContracts),
   });
 
diff --git a/contracts/utils/deployment-artifacts-to-app-env.ts b/contracts/utils/deployment-artifacts-to-app-env.ts
index e57ee709..526f3f0d 100644
--- a/contracts/utils/deployment-artifacts-to-app-env.ts
+++ b/contracts/utils/deployment-artifacts-to-app-env.ts
@@ -17,7 +17,8 @@ const ZAddress = z.string().regex(/^0x[0-9a-fA-F]{40}$/);
 const ZDeploymentContext = z.object({
   options: z.object({
     chainId: z.number(),
-    deployer: z.string(), // can be an address or a private key
+    // XXX hotfix: we were leaking Github secrets in "deployer"
+    // deployer: z.string(), // can be an address or a private key
     help: z.boolean(),
     openDemoTroves: z.boolean(),
     rpcUrl: z.string(),