diff --git a/argocd/manifests/forgejo-runner/configmap.yaml b/argocd/manifests/forgejo-runner/configmap.yaml
index 91d2405..dc4584e 100644
--- a/argocd/manifests/forgejo-runner/configmap.yaml
+++ b/argocd/manifests/forgejo-runner/configmap.yaml
@@ -18,7 +18,7 @@ data:
         TZ: America/Los_Angeles
 
     container:
-      # Job execution image is set via RUNNER_LABELS in external-secret.yaml
+      # Job execution image is set via RUNNER_LABELS in deployment.yaml
       network: "host"
       # Connect to DinD sidecar via TCP (not socket)
       docker_host: tcp://127.0.0.1:2375
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index 5977ce7..e053adf 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -24,6 +24,12 @@ spec:
               value: America/Los_Angeles
             - name: DOCKER_HOST
               value: tcp://localhost:2375
+            - name: FORGEJO_URL
+              value: "https://forge.ops.eblu.me"
+            - name: RUNNER_NAME
+              value: "k8s-runner"
+            - name: RUNNER_LABELS
+              value: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v3.1.0"
           command:
             - /bin/sh
             - -c
diff --git a/argocd/manifests/forgejo-runner/external-secret.yaml b/argocd/manifests/forgejo-runner/external-secret.yaml
index 2d2b1d9..fce28bb 100644
--- a/argocd/manifests/forgejo-runner/external-secret.yaml
+++ b/argocd/manifests/forgejo-runner/external-secret.yaml
@@ -1,12 +1,11 @@
-# ExternalSecret for Forgejo Runner environment
-#
-# Replaces the manual op inject workflow from secret.yaml.tpl
+# ExternalSecret for Forgejo Runner token
 #
 # 1Password item: "Forgejo Secrets" in blumeops vault
 # Field: runner_reg (runner registration token)
 #
-# Note: Static values (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) are included
-# via template since they don't need to be in 1Password.
+# Non-secret env vars (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) live in the
+# deployment spec so that changes (e.g. image version bumps) trigger a rollout
+# automatically.
 #
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -21,14 +20,8 @@ spec:
   target:
     name: forgejo-runner-env
     creationPolicy: Owner
-    template:
-      data:
-        FORGEJO_URL: "https://forge.ops.eblu.me"
-        RUNNER_NAME: "k8s-runner"
-        RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v3.1.0"
-        RUNNER_TOKEN: "{{ .runner_token }}"
   data:
-  - secretKey: runner_token
+  - secretKey: RUNNER_TOKEN
     remoteRef:
       key: Forgejo Secrets
       property: runner_reg
diff --git a/docs/changelog.d/feature-runner-env-refactor.infra.md b/docs/changelog.d/feature-runner-env-refactor.infra.md
new file mode 100644
index 0000000..2cfcbd5
--- /dev/null
+++ b/docs/changelog.d/feature-runner-env-refactor.infra.md
@@ -0,0 +1 @@
+Move non-secret forgejo-runner env vars from ExternalSecret to deployment spec so version bumps trigger automatic rollouts