diff --git a/.gitea/workflows/cd.yml b/.gitea/workflows/cd.yml
index e1307bb..43730bb 100644
--- a/.gitea/workflows/cd.yml
+++ b/.gitea/workflows/cd.yml
@@ -37,9 +37,18 @@ jobs:
           project_id: ${{ secrets.GCP_PROJECT }}
 
       - name: Build & push (Cloud Build, sem Docker local)
+        env:
+          # SA key auth não popula quota_project no credentials file → gcloud
+          # cai em "default" e a chamada à Service Usage API falha com
+          # "serviceusage.services.use forbidden" mesmo com a role concedida.
+          CLOUDSDK_BILLING_QUOTA_PROJECT: ${{ secrets.GCP_PROJECT }}
         run: |
           IMG="${IMAGE_BASE}/${{ gitea.event.repository.name }}:lab-${{ gitea.run_number }}"
-          gcloud builds submit --tag "$IMG" --project=${{ secrets.GCP_PROJECT }} --timeout=30m
+          gcloud config set billing/quota_project "${{ secrets.GCP_PROJECT }}"
+          gcloud builds submit \
+            --tag "$IMG" \
+            --project=${{ secrets.GCP_PROJECT }} \
+            --timeout=30m
           echo "IMG=$IMG" >> $GITHUB_ENV
 
       - name: Deploy hml2 (apenas em push pra master/main)