diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index 0533e21..902bf3f 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -18,6 +18,11 @@ on:
         required: false
         default: false
         type: boolean
+      skip_shared_secrets_deployment:
+        description: "Skip shared secrets deployment (e.g. restic backup secret)"
+        required: false
+        default: false
+        type: boolean
 
 jobs:
   detect-service-type:
@@ -48,6 +53,26 @@ jobs:
             echo "No k8s directory found at ${{ inputs.k8s_dir }}"
           fi
 
+  deploy-shared-secrets:
+    runs-on: ubuntu-latest
+    needs: detect-service-type
+    if: inputs.skip_shared_secrets_deployment != 'true'
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Set restic backup secret
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5.0.1
+        with:
+          namespace: ${{ steps.namespace.outputs.namespace }}
+          secret-name: backupsidecar-secret
+          secret-type: generic
+          data: |
+            {
+              "restic_password": "${{ secrets.RESTIC_PASSWORD }}",
+              "restic_rest_username": "${{ secrets.RESTIC_REST_USERNAME }}",
+              "restic_rest_password": "${{ secrets.RESTIC_REST_PASSWORD }}",
+              "gotify_token": "${{ secrets.GOTIFY_TOKEN }}"
+            }
+
   deploy-k8s:
     runs-on: ubuntu-latest
     needs: detect-service-type