diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index 4296f1636..b23fcbced 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -1,9 +1,11 @@
 # Veza deploy pipeline.
 #
 # Triggers (intentionally narrow — see SECURITY note below):
-#   push:main           → env=staging, sha=$GITHUB_SHA
-#   push:tags ['v*']    → env=prod,    sha=$GITHUB_SHA (tag's pointee)
 #   workflow_dispatch   → operator-supplied env + sha
+#   (push:main + tag:v* are commented OUT until provisioning is
+#    complete — see docs/RUNBOOK_DEPLOY_BOOTSTRAP.md. Re-enable
+#    once secrets/runner/vault are in place and a manual run via
+#    workflow_dispatch has been verified GREEN.)
 #
 # SECURITY: this workflow runs on a self-hosted runner with access to
 # the Incus unix socket (effectively root on the host). DO NOT add
@@ -15,9 +17,9 @@
 name: Veza deploy
 
 on:
-    push:
-        branches: [main]
-        tags: ['v*']
+    # push:                          # GATED — uncomment after first
+    #     branches: [main]           # successful workflow_dispatch run
+    #     tags: ['v*']               # see RUNBOOK_DEPLOY_BOOTSTRAP.md
     workflow_dispatch:
         inputs:
             env: