diff --git a/.forgejo/workflows/ci-cd-web-desktop.yml b/.forgejo/workflows/ci-cd-web-desktop.yml
index bbbd16d..783e8a3 100644
--- a/.forgejo/workflows/ci-cd-web-desktop.yml
+++ b/.forgejo/workflows/ci-cd-web-desktop.yml
@@ -182,18 +182,23 @@ jobs:
             sistema_web:node22-bun \
             bash -lc "set -euo pipefail; bun install --frozen-lockfile --filter '!appsdesktop'; bun run prisma:generate; bun run build:bun"
 
+      - name: Fix Docker-created file permissions
+        run: |
+          # Docker cria arquivos como root - corrigir para o usuario runner (UID 1000)
+          docker run --rm -v "$EFFECTIVE_APP_DIR":/target alpine:3 \
+            chown -R 1000:1000 /target
+          echo "Permissoes do build corrigidas"
+
       - name: Publish build to stable APP_DIR directory
         run: |
           set -e
           DEST="$HOME/apps/sistema"
           mkdir -p "$DEST"
           mkdir -p "$DEST/.next/static"
-          # Corrigir permissoes de arquivos criados por containers Docker (root)
-          # Isso permite que o rsync sobrescreva arquivos anteriores
-          if [ -d "$DEST/src/generated" ]; then
-            chmod -R u+rwX "$DEST/src/generated" 2>/dev/null || \
-              docker run --rm -v "$DEST/src/generated":/target alpine:3 \
-                chown -R 1000:1000 /target 2>/dev/null || true
+          # Corrigir permissoes do destino (arquivos de deploys anteriores)
+          if [ -d "$DEST" ]; then
+            docker run --rm -v "$DEST":/target alpine:3 \
+              chown -R 1000:1000 /target 2>/dev/null || true
           fi
           # rsync com --no-owner --no-group para nao preservar UID do container Docker
           if [ -d "$EFFECTIVE_APP_DIR/.next/static" ]; then