diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 35cf0f2..4093edd 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -25,4 +25,4 @@ permissions:
 
 jobs:
   ci:
-    uses: cplieger/ci/.github/workflows/ci.yaml@6659f08fc7f512ad4ae4bc9a27b257ea423a433a # v2
+    uses: cplieger/ci/.github/workflows/ci.yaml@f19e2a239fe99c9300a2dc256a7e7c1b4357860b # v2
diff --git a/README.md b/README.md
index ccc1950..949c34e 100644
--- a/README.md
+++ b/README.md
@@ -32,9 +32,11 @@ The `age-decrypt` binary is a single static Go executable on `gcr.io/distroless/
 The expected workflow is encryption-at-rest in git, decryption at deploy:
 
 1. Encrypt your `.env` files locally:
+
    ```bash
    age -a -R recipients.txt -o apps/myservice/.env apps/myservice/.env.dec
    ```
+
 2. Commit `apps/myservice/.env` (encrypted, ASCII-armored) to git. `.env.dec` stays local.
 3. On each server, run `age-decrypt` as a pre-deploy step before your stack starts: