diff --git a/scripts/load-global-secrets.sh b/scripts/load-global-secrets.sh
index 48c5acd..f3447d8 100755
--- a/scripts/load-global-secrets.sh
+++ b/scripts/load-global-secrets.sh
@@ -48,23 +48,21 @@ EOF
 
   # Parser le CSV avec python3 — gère les champs multilignes et les virgules dans les valeurs
   local pairs
-  pairs=$(python3 - <<'PYEOF' <<< "$csv"
+  pairs=$(printf '%s' "$csv" | python3 -c "
 import sys, csv, re
-
 reader = csv.DictReader(sys.stdin)
 for row in reader:
-    group = row.get("Group", "")
-    title = row.get("Title", "")
-    password = row.get("Password", "")
-    if group != "Racine/global" and not group.startswith("Racine/global/"):
+    group = row.get('Group', '')
+    title = row.get('Title', '')
+    password = row.get('Password', '')
+    if group != 'Racine/global' and not group.startswith('Racine/global/'):
         continue
-    if not re.match(r'^[A-Z_][A-Z0-9_]*$', title):
+    if not re.match(r'^[A-Z_][A-Z0-9_]*\$', title):
         continue
     if not password:
         continue
-    print(f"{title}={password}")
-PYEOF
-  )
+    print(title + '=' + password)
+")
 
   if [ -z "$pairs" ]; then
     echo "Aucun secret global chargé." >&2
diff --git a/scripts/sync-service-secrets.sh b/scripts/sync-service-secrets.sh
index ae3431a..75efb78 100755
--- a/scripts/sync-service-secrets.sh
+++ b/scripts/sync-service-secrets.sh
@@ -59,23 +59,21 @@ EOF
 
   # Parser le CSV avec python3 — gère les champs multilignes et les virgules dans les valeurs
   local rendered_lines
-  rendered_lines=$(python3 - <<'PYEOF' <<< "$csv"
+  rendered_lines=$(printf '%s' "$csv" | python3 -c "
 import sys, csv, re
-
 reader = csv.DictReader(sys.stdin)
 for row in reader:
-    group = row.get("Group", "")
-    title = row.get("Title", "")
-    password = row.get("Password", "")
-    if group != "Racine/services" and not group.startswith("Racine/services/"):
+    group = row.get('Group', '')
+    title = row.get('Title', '')
+    password = row.get('Password', '')
+    if group != 'Racine/services' and not group.startswith('Racine/services/'):
         continue
-    if not re.match(r'^[A-Z_][A-Z0-9_]*$', title):
+    if not re.match(r'^[A-Z_][A-Z0-9_]*\$', title):
         continue
     if not password:
         continue
-    print(f"{title}={password}")
-PYEOF
-  )
+    print(title + '=' + password)
+")
 
   if [ -z "$rendered_lines" ]; then
     echo "Aucun secret de service chargé." >&2