diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
index 681c0e25..68dbd4f2 100644
--- a/.github/workflows/deploy-prod.yml
+++ b/.github/workflows/deploy-prod.yml
@@ -160,10 +160,13 @@ jobs:
           export KUBECONFIG=${{ env.KUBECONFIG }}
           export PATH=$HOME/bin:$PATH
           echo "📦 Applying K8s manifests..."
-          # 排除 kustomization.yaml (那是給 -k 用的，不能直接 apply)
+          # 排除 kustomization.yaml 與 secrets (Secrets 由手動管理，避免覆蓋)
           for f in k8s/awoooi-prod/*.yaml; do
-            if [[ "$(basename "$f")" != "kustomization.yaml" ]]; then
+            BASENAME="$(basename "$f")"
+            if [[ "$BASENAME" != "kustomization.yaml" && "$BASENAME" != "03-secrets.yaml" && "$BASENAME" != "03-secrets.example.yaml" ]]; then
               kubectl apply -f "$f" --namespace=${{ env.K8S_NAMESPACE }}
+            else
+              echo "⏭️ Skipped: $BASENAME (managed separately)"
             fi
           done