diff --git a/.github/workflows/ci-cd-web-desktop.yml b/.github/workflows/ci-cd-web-desktop.yml
index 550443d..6f5f5a9 100644
--- a/.github/workflows/ci-cd-web-desktop.yml
+++ b/.github/workflows/ci-cd-web-desktop.yml
@@ -87,6 +87,11 @@ jobs:
         run: |
           mkdir -p "$EFFECTIVE_APP_DIR"
           RSYNC_FLAGS="-az --inplace --no-times --no-perms --no-owner --no-group --delete"
+          # Excluir .env apenas quando copiando para o diretório padrão (/srv) para preservar segredos locais
+          EXCLUDE_ENV="--exclude '.env*' --exclude 'apps/desktop/.env*' --exclude 'convex/.env*'"
+          if [ "$EFFECTIVE_APP_DIR" != "${APP_DIR:-/srv/apps/sistema}" ]; then
+            EXCLUDE_ENV=""
+          fi
           rsync $RSYNC_FLAGS \
             --filter='protect node_modules' \
             --filter='protect node_modules/**' \
@@ -102,29 +107,8 @@ jobs:
             --exclude 'node_modules/**' \
             --exclude '.pnpm-store' \
             --exclude '.pnpm-store/**' \
-            --exclude '.env*' \
-            --exclude 'apps/desktop/.env*' \
-            --exclude 'convex/.env*' \
-            ./ "$EFFECTIVE_APP_DIR"/ \
-            || rsync $RSYNC_FLAGS \
-              --filter='protect node_modules' \
-              --filter='protect node_modules/**' \
-              --filter='protect .pnpm-store' \
-              --filter='protect .pnpm-store/**' \
-              --filter='protect .env' \
-              --filter='protect .env*' \
-              --filter='protect apps/desktop/.env*' \
-              --filter='protect convex/.env*' \
-              --exclude '.git' \
-              --exclude '.next' \
-              --exclude 'node_modules' \
-              --exclude 'node_modules/**' \
-              --exclude '.pnpm-store' \
-              --exclude '.pnpm-store/**' \
-              --exclude '.env*' \
-              --exclude 'apps/desktop/.env*' \
-              --exclude 'convex/.env*' \
-              ./ "$EFFECTIVE_APP_DIR"/
+            $EXCLUDE_ENV \
+            ./ "$EFFECTIVE_APP_DIR"/
 
       - name: Install and build (Next.js)
         run: |
@@ -176,6 +160,10 @@ jobs:
         run: |
           mkdir -p "$EFFECTIVE_APP_DIR"
           RSYNC_FLAGS="-az --inplace --no-times --no-perms --no-owner --no-group --delete"
+          EXCLUDE_ENV="--exclude '.env*' --exclude 'apps/desktop/.env*' --exclude 'convex/.env*'"
+          if [ "$EFFECTIVE_APP_DIR" != "${APP_DIR:-/srv/apps/sistema}" ]; then
+            EXCLUDE_ENV=""
+          fi
           rsync $RSYNC_FLAGS \
             --filter='protect node_modules' \
             --filter='protect node_modules/**' \
@@ -191,29 +179,8 @@ jobs:
             --exclude 'node_modules/**' \
             --exclude '.pnpm-store' \
             --exclude '.pnpm-store/**' \
-            --exclude '.env*' \
-            --exclude 'apps/desktop/.env*' \
-            --exclude 'convex/.env*' \
-            ./ "$EFFECTIVE_APP_DIR"/ \
-            || rsync $RSYNC_FLAGS \
-              --filter='protect node_modules' \
-              --filter='protect node_modules/**' \
-              --filter='protect .pnpm-store' \
-              --filter='protect .pnpm-store/**' \
-              --filter='protect .env' \
-              --filter='protect .env*' \
-              --filter='protect apps/desktop/.env*' \
-              --filter='protect convex/.env*' \
-              --exclude '.git' \
-              --exclude '.next' \
-              --exclude 'node_modules' \
-              --exclude 'node_modules/**' \
-              --exclude '.pnpm-store' \
-              --exclude '.pnpm-store/**' \
-              --exclude '.env*' \
-              --exclude 'apps/desktop/.env*' \
-              --exclude 'convex/.env*' \
-              ./ "$EFFECTIVE_APP_DIR"/
+            $EXCLUDE_ENV \
+            ./ "$EFFECTIVE_APP_DIR"/
       - name: Deploy functions to Convex self-hosted
         run: |
           docker run --rm -i \