diff --git a/.woodpecker.yml b/.woodpecker.yml
index 92c9833..23b87f0 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -23,6 +23,26 @@ steps:
             from_secret: forgejo_push_token
       dockerfile: Dockerfile
       context: .
-      auto_tag: true
       platforms:
         - linux/amd64
+      tags:
+        - "latest"
+        - "${CI_COMMIT_SHA:0:8}"
+
+  # We build the image, so we drive the rollout too — atomic + deterministic,
+  # no wait for Keel's hourly poll and no risk of Keel resolving :latest to a
+  # stale concrete tag. Keel stays enrolled in parallel as a redundant net
+  # (it finds the SHA already running → no-op). set image on a NEW :SHA always
+  # changes the pod template → guaranteed rollout, and bootstraps off any
+  # legacy pinned tag with no manual step. Sets the alembic-migrate init
+  # container too — it shares the image so its tag must move in lockstep.
+  - name: deploy
+    image: bitnami/kubectl:latest
+    depends_on:
+      - build-and-push
+    when:
+      branch: master
+      event: [push, manual]
+    commands:
+      - "kubectl set image deployment/fire-planner fire-planner=forgejo.viktorbarzin.me/viktor/fire-planner:${CI_COMMIT_SHA:0:8} alembic-migrate=forgejo.viktorbarzin.me/viktor/fire-planner:${CI_COMMIT_SHA:0:8} -n fire-planner"
+      - "kubectl rollout status deployment/fire-planner -n fire-planner --timeout=300s"