diff --git a/.woodpecker.yml b/.woodpecker.yml
index 58911b4..2e756c4 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -118,19 +118,19 @@ steps:
         chmod 600 ~/.ssh/id_ed25519
         PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)"
 
-        # Source of truth: dev tag
-        DEV_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
-        [ -n "$DEV_TAG" ] || { echo "❌ dev IMG_TAG empty"; exit 2; }
-        echo "🚀 Deploying tag: $DEV_TAG"
+        # Always: get tag from dev
+        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
+        [ -n "$IMG_TAG" ] || { echo "❌ dev IMG_TAG empty"; exit 2; }
+        echo "🚀 Deploying tag: $IMG_TAG"
 
-        # Pipe a script to the VM; pass DEV_TAG as $1
+        # Pipe script into SSH, pass IMG_TAG as $1
         cat <<'EOSSH' | ssh -T \
           -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
             --project=aptivaai-prod --zone=us-central1-a \
             --listen-on-stdin --verbosity=error" \
           -o StrictHostKeyChecking=accept-new \
           -i ~/.ssh/id_ed25519 \
-          "$PROD_SSH_TARGET" bash -s -- "$DEV_TAG"
+          "$PROD_SSH_TARGET" bash -s -- "$IMG_TAG"
           set -euo pipefail
           IMG_TAG="${1:?missing tag}"; export IMG_TAG
           PROJECT=aptivaai-prod