diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index ff16ce08..2de14bbc 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -200,6 +200,23 @@ jobs:
                 ;;
               .gitea/workflows/cd.yaml)
                 ;;
+              # 2026-06-30 Codex: workflow secret-transport and guard-only
+              # hardening must stay on the narrow profile. These changes are
+              # validated by workflow-shape, the secret-surface guard, and the
+              # runner pressure/profile tests; sending them to full/B5 would
+              # reintroduce the heavy runner path while not increasing coverage.
+              .gitea/workflows/cd-dev.yaml)
+                ;;
+              .gitea/workflows/code-review.yaml)
+                ;;
+              .gitea/workflows/deploy-alerts.yaml)
+                ;;
+              .gitea/workflows/e2e-health.yaml)
+                ;;
+              .gitea/workflows/run-migration.yml)
+                ;;
+              scripts/ci/check-gitea-step-env-secrets.js)
+                ;;
               # 2026-06-29 Codex: the onboarding warning-step workflow is
               # copied in a disabled workflow_dispatch-only state. Treat the
               # source and template files as controlled-runtime sources so the
diff --git a/ops/runner/test_cd_controlled_runtime_profile.py b/ops/runner/test_cd_controlled_runtime_profile.py
index 4360308f..a941c4b6 100644
--- a/ops/runner/test_cd_controlled_runtime_profile.py
+++ b/ops/runner/test_cd_controlled_runtime_profile.py
@@ -35,6 +35,21 @@ def test_deploy_marker_k8s_files_stay_on_controlled_runtime_profile() -> None:
     assert "k8s/awoooi-prod/kustomization.yaml)" in text
 
 
+def test_workflow_secret_transport_sources_stay_on_controlled_runtime_profile() -> None:
+    text = _workflow_text()
+    assert "workflow secret-transport and guard-only" in text
+    expected_sources = [
+        ".gitea/workflows/cd-dev.yaml)",
+        ".gitea/workflows/code-review.yaml)",
+        ".gitea/workflows/deploy-alerts.yaml)",
+        ".gitea/workflows/e2e-health.yaml)",
+        ".gitea/workflows/run-migration.yml)",
+        "scripts/ci/check-gitea-step-env-secrets.js)",
+    ]
+    for source in expected_sources:
+        assert source in text
+
+
 def test_onboarding_warning_step_template_stays_on_controlled_runtime_profile() -> None:
     text = _workflow_text()
     assert "onboarding warning-step workflow is" in text