diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index b8656e14a..76507f0d7 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2873,8 +2873,9 @@ COPY ./nginx.conf /etc/nginx/conf.d/default.conf");
         // Add top-level secrets definition
         $secrets = [];
         foreach ($variables as $env) {
+            $safe_filename = preg_replace('/[^A-Za-z0-9._-]/', '_', (string) $env->key);
             $secrets[$env->key] = [
-                'file' => "{$this->secrets_dir}/{$env->key}",
+                'file' => "{$this->secrets_dir}/{$safe_filename}",
             ];
         }
 
@@ -2904,7 +2905,9 @@ COPY ./nginx.conf /etc/nginx/conf.d/default.conf");
 
         // Update the compose file
         $composeFile['services'] = $services;
-        $composeFile['secrets'] = $secrets;
+        // merge with existing secrets if present
+        $existingSecrets = data_get($composeFile, 'secrets', []);
+        $composeFile['secrets'] = array_replace($existingSecrets, $secrets);
 
         $this->application_deployment_queue->addLogEntry('Added build secrets configuration to docker-compose file.');