diff --git a/.woodpecker.yml b/.woodpecker.yml
index 8c967b1..407b111 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -35,7 +35,7 @@ steps:
       - echo "nameserver 1.1.1.1" > /etc/resolv.conf
       - echo "nameserver 1.0.0.1" >> /etc/resolv.conf
       - chmod +x scripts/refresh-lockfile.sh
-      - ./scripts/refresh-lockfile.sh --check
+      - sh scripts/refresh-lockfile.sh --check
     when:
       branch: main
       event: [push, pull_request]
diff --git a/scripts/refresh-lockfile.sh b/scripts/refresh-lockfile.sh
index cf956ea..ab661b5 100755
--- a/scripts/refresh-lockfile.sh
+++ b/scripts/refresh-lockfile.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # Refresh package-lock.json to apply npm overrides and get latest compatible versions
 # This ensures security patches from overrides are actually applied
 #
@@ -17,10 +17,21 @@ fi
 
 echo "🔄 Refreshing package-lock.json..."
 
+# Detect hash command (sha256sum on Linux, shasum on macOS)
+HASH_CMD=""
+if command -v sha256sum >/dev/null 2>&1; then
+    HASH_CMD="sha256sum"
+elif command -v shasum >/dev/null 2>&1; then
+    HASH_CMD="shasum -a 256"
+else
+    echo "❌ Error: Neither sha256sum nor shasum found"
+    exit 1
+fi
+
 # Backup current lock file hash for comparison
 OLD_HASH=""
 if [ -f package-lock.json ]; then
-    OLD_HASH=$(shasum -a 256 package-lock.json | cut -d' ' -f1)
+    OLD_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
 fi
 
 # Clean and regenerate
@@ -34,7 +45,7 @@ else
     npm install
 fi
 
-NEW_HASH=$(shasum -a 256 package-lock.json | cut -d' ' -f1)
+NEW_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
 
 if [ "$OLD_HASH" = "$NEW_HASH" ]; then
     echo "✅ package-lock.json is up to date"