diff --git a/.gitea/workflows/build-and-push.yml b/.gitea/workflows/build-and-push.yml
index 32bc01b..c84ee7f 100644
--- a/.gitea/workflows/build-and-push.yml
+++ b/.gitea/workflows/build-and-push.yml
@@ -43,34 +43,49 @@ jobs:
           docker logout "$ACR_REGISTRY" || true
           echo "$ACR_PASSWORD" | docker login "$ACR_REGISTRY" --username "$ACR_USERNAME" --password-stdin
 
-      - name: Start v2ray-client (write + verify + run + logs)
+      - name: Start v2ray-client (write + assert + verify + run + logs)
         env:
           V2RAY_JSON: ${{ secrets.V2RAY_JSON }}
         run: |
           set -euo pipefail
 
-          # 1) 写入配置
-          mkdir -p "${GITHUB_WORKSPACE}/v2ray"
-          printf '%s' "$V2RAY_JSON" > "${GITHUB_WORKSPACE}/v2ray/config.json"
-          jq . "${GITHUB_WORKSPACE}/v2ray/config.json" >/dev/null
+          # 0) 强校验 Secret 是否非空
+          if [ -z "${V2RAY_JSON:-}" ]; then
+            echo "ERROR: V2RAY_JSON is empty or not set. Check your repository Secrets." >&2
+            exit 1
+          fi
 
-          # 2) 用一次性容器验证：覆盖 entrypoint 才能用 sh
+          # 1) 写入配置到工作区
+          mkdir -p "${GITHUB_WORKSPACE}/v2ray"
+          # 注意用 printf，不要 echo -e，避免转义问题
+          printf '%s' "$V2RAY_JSON" > "${GITHUB_WORKSPACE}/v2ray/config.json"
+
+          # 2) 本机硬校验：存在、非空、可读、是普通文件
+          ls -l "${GITHUB_WORKSPACE}/v2ray" || true
+          test -f "${GITHUB_WORKSPACE}/v2ray/config.json"
+          test -s "${GITHUB_WORKSPACE}/v2ray/config.json"
+          # 可选：校验 JSON 格式（若 runner 没装 jq，可去掉）
+          if command -v jq >/dev/null 2>&1; then
+            jq . "${GITHUB_WORKSPACE}/v2ray/config.json" >/dev/null
+          fi
+
+          # 3) 用一次性容器检查“容器内是否能看到文件”（覆盖 entrypoint 才能用 sh）
           docker run --rm \
             --network host \
-            --mount type=bind,src=${GITHUB_WORKSPACE}/v2ray,dst=/etc/v2ray,ro \
+            --mount type=bind,src=${GITHUB_WORKSPACE}/v2ray,dst=/etc/v2ray,ro,z \
             --entrypoint sh \
             v2fly/v2fly-core:latest \
-            -lc 'ls -l /etc/v2ray && head -n2 /etc/v2ray/config.json || true'
+            -lc 'echo "== inside container =="; ls -l /etc/v2ray; echo "---"; head -n2 /etc/v2ray/config.json || true'
 
-          # 3) 启动真实服务
+          # 4) 启动真实服务
           docker rm -f v2ray-client >/dev/null 2>&1 || true
           docker run -d --name v2ray-client \
             --network host \
-            --mount type=bind,src=${GITHUB_WORKSPACE}/v2ray,dst=/etc/v2ray,ro \
+            --mount type=bind,src=${GITHUB_WORKSPACE}/v2ray,dst=/etc/v2ray,ro,z \
             v2fly/v2fly-core:latest \
             run -c /etc/v2ray/config.json -format jsonv5
 
-          # 4) 健康检查；若退出则打印日志并失败
+          # 5) 健康检查；若退出则打印日志并失败
           sleep 1
           if [ "$(docker inspect -f '{{.State.Running}}' v2ray-client 2>/dev/null)" != "true" ]; then
             echo "== v2ray-client exited; logs =="
@@ -78,11 +93,9 @@ jobs:
             exit 1
           fi
 
-          # 5)（可选）打印挂载确认
+          # 6)（可选）打印挂载确认
           docker inspect -f '{{range .Mounts}}{{println .Type .Source "->" .Destination}}{{end}}' v2ray-client
 
-
-
       - name: Build Docker Image (host network; no Dockerfile change)
         env:
           IMAGE: ${{ secrets.ACR_REGISTRY }}/${{ secrets.ACR_NAMESPACE }}/${{ vars.IMAGE_NAME }}
@@ -95,7 +108,7 @@ jobs:
             --name ci-builder --use \
             --driver docker-container \
             --driver-opt network=host \
-            --driver-opt env.http_proxy=http://127.0.0.1:8080,env.https_proxy=http://127.0.0.1:8080 \
+            --driver-opt env.http_proxy=http://127.0.0.1:18080,env.https_proxy=http://127.0.0.1:18080 \
             --buildkitd-flags '--allow-insecure-entitlement network.host' \
             >/dev/null