diff --git a/scripts/bump-digest.sh b/scripts/bump-digest.sh
index 8648a13..f3e0063 100755
--- a/scripts/bump-digest.sh
+++ b/scripts/bump-digest.sh
@@ -46,7 +46,11 @@ git --no-pager diff -- "${MANIFEST}"
 git config user.name "bztmon-site CI"
 git config user.email "ci@bztmon.com"
 git commit -am "bztmon-site: deploy ${TAG}"
-git push origin "${BRANCH}"
+# Force-push: the deploy branch name is deterministic (per-commit), so a RE-RUN of the same
+# commit would otherwise hit a non-fast-forward reject ("fetch first") against the stale branch
+# from the prior run. The branch is an ephemeral, disposable deploy artifact (main is the gate,
+# protected, human-merged) → force is safe and makes re-runs idempotent.
+git push --force origin "${BRANCH}"
 
 # --- PR (never auto-merge; BEST-EFFORT) ------------------------------------
 # The branch push above IS the deploy artifact — the rollout is ready regardless of the PR.