diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
index 9c4d1d5d..edb58b93 100644
--- a/.github/workflows/cd.yaml
+++ b/.github/workflows/cd.yaml
@@ -259,6 +259,18 @@ jobs:
         id: tag
         run: echo "tag=$(git rev-parse --short HEAD)-${{ github.run_id }}" >> $GITHUB_OUTPUT
 
+      # 2026-03-26: 注入 Telegram 機密到 K8s Secret
+      - name: Inject Telegram Secrets
+        run: |
+          kubectl patch secret awoooi-secrets -n awoooi-prod --type='json' \
+            -p='[{"op": "replace", "path": "/data/OPENCLAW_TG_BOT_TOKEN", "value": "'$(echo -n "${{ secrets.OPENCLAW_TG_BOT_TOKEN }}" | base64)'"}]' || \
+          kubectl create secret generic awoooi-secrets -n awoooi-prod \
+            --from-literal=OPENCLAW_TG_BOT_TOKEN="${{ secrets.OPENCLAW_TG_BOT_TOKEN }}" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
+          kubectl patch secret awoooi-secrets -n awoooi-prod --type='json' \
+            -p='[{"op": "replace", "path": "/data/OPENCLAW_TG_CHAT_ID", "value": "'$(echo -n "${{ secrets.OPENCLAW_TG_CHAT_ID }}" | base64)'"}]' || true
+
       - name: Deploy
         run: |
           cd k8s/awoooi-prod