diff --git a/scripts/bump-digest.sh b/scripts/bump-digest.sh
index 5a83b29..46b0d43 100755
--- a/scripts/bump-digest.sh
+++ b/scripts/bump-digest.sh
@@ -47,9 +47,16 @@ git config user.email "ci@bztmon.com"
 git commit -am "bztmon-site: deploy ${TAG}"
 git push origin "${BRANCH}"
 
-# --- Open the PR (never auto-merge) ----------------------------------------
-curl -fsSL -X POST "${GITEA_API}/repos/jwrong96/home-ops/pulls" \
-  -H "Authorization: token ${GITEA_TOKEN}" \
-  -H "Content-Type: application/json" \
-  -d "{\"head\":\"${BRANCH}\",\"base\":\"main\",\"title\":\"bztmon-site: deploy ${TAG}\",\"body\":\"Automated digest bump.\\n\\nImage: \`${REF}\`\\n\\nMerge to roll out via ArgoCD.\"}"
-echo ">> PR opened for ${BRANCH}"
+# --- PR (never auto-merge) -------------------------------------------------
+# Default (least-privilege): just push the branch — Jonathon opens+merges the PR (the approval
+# gate + the ArgoCD trigger). Only auto-open a PR if a GITEA_TOKEN is provided.
+if [[ -n "${GITEA_TOKEN:-}" ]]; then
+  curl -fsSL -X POST "${GITEA_API}/repos/jwrong96/home-ops/pulls" \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Content-Type: application/json" \
+    -d "{\"head\":\"${BRANCH}\",\"base\":\"main\",\"title\":\"bztmon-site: deploy ${TAG}\",\"body\":\"Automated digest bump.\\n\\nImage: \`${REF}\`\\n\\nMerge to roll out via ArgoCD.\"}"
+  echo ">> PR opened for ${BRANCH}"
+else
+  echo ">> branch ${BRANCH} pushed (image ${REF})."
+  echo ">> open the PR to roll out: https://gitea.bztmon.org/jwrong96/home-ops/compare/main...${BRANCH}"
+fi