diff --git a/.woodpecker/db.yml b/.woodpecker/db.yml
index 8c559be..6b29c7f 100644
--- a/.woodpecker/db.yml
+++ b/.woodpecker/db.yml
@@ -35,24 +35,7 @@ steps:
       REGISTRY_URL: registry.sendico.io
       MONGO_VERSION: latest
     commands:
-      - |
-          set -euo
-          mkdir -p ci/prod/env
-          set -a
-          . ./ci/prod/.env.runtime
-          . ./.env.version
-          set +a
-          test -s secrets/REGISTRY_USER && test -s secrets/REGISTRY_PASS
-          CREDS="$(cat secrets/REGISTRY_USER):$(cat secrets/REGISTRY_PASS)"
-          skopeo copy --all \
-            docker://docker.io/library/mongo:${MONGO_VERSION} \
-            docker://${REGISTRY_URL}/mirror/mongo:${APP_V} \
-            --dest-creds "$CREDS"
-          INSPECT=$(skopeo inspect docker://${REGISTRY_URL}/mirror/mongo:${APP_V} --creds "$CREDS")
-          DIGEST="$(printf '%s' "$INSPECT" | tr -d '\n' | sed -n 's/.*"Digest"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
-          test -n "$DIGEST"
-          printf 'MONGO_TAG=%s\nMONGO_DIGEST=%s\n' "$APP_V" "$DIGEST" | tee .env.lock ci/prod/env/.env.lock.db
-          cat .env.lock
+      - bash ci/prod/scripts/lock-db.sh
 
   - name: deploy
     image: alpine:latest
diff --git a/ci/prod/scripts/lock-db.sh b/ci/prod/scripts/lock-db.sh
new file mode 100644
index 0000000..429f2f5
--- /dev/null
+++ b/ci/prod/scripts/lock-db.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+mkdir -p ci/prod/env
+
+# export runtime vars (SSH_HOST etc.) and version info for downstream steps
+set -a
+. ./ci/prod/.env.runtime
+. ./.env.version
+set +a
+
+REGISTRY_URL="${REGISTRY_URL:-}"
+MONGO_VERSION="${MONGO_VERSION:-latest}"
+APP_V="${APP_V:-}"
+
+if [ -z "$REGISTRY_URL" ]; then
+  echo "REGISTRY_URL is not set (define in .env.runtime or Woodpecker env)" >&2
+  exit 1
+fi
+if [ -z "$APP_V" ]; then
+  echo "APP_V is not set (version step must run first)" >&2
+  exit 1
+fi
+
+for f in secrets/REGISTRY_USER secrets/REGISTRY_PASS; do
+  if [ ! -s "$f" ]; then
+    echo "missing registry credential: $f" >&2
+    exit 1
+  fi
+done
+
+CREDS="$(cat secrets/REGISTRY_USER):$(cat secrets/REGISTRY_PASS)"
+
+skopeo copy --all \
+  "docker://docker.io/library/mongo:${MONGO_VERSION}" \
+  "docker://${REGISTRY_URL}/mirror/mongo:${APP_V}" \
+  --dest-creds "$CREDS"
+
+INSPECT="$(skopeo inspect "docker://${REGISTRY_URL}/mirror/mongo:${APP_V}" --creds "$CREDS")"
+DIGEST="$(printf '%s' "$INSPECT" | tr -d '\n' | sed -n 's/.*"Digest"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
+
+if [ -z "$DIGEST" ]; then
+  echo "failed to parse digest from skopeo inspect output" >&2
+  exit 1
+fi
+
+printf 'MONGO_TAG=%s\nMONGO_DIGEST=%s\n' "$APP_V" "$DIGEST" | tee .env.lock ci/prod/env/.env.lock.db
+cat .env.lock