diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 870a5a99..1bae7b04 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -122,5 +122,11 @@ jobs:
           echo "All smoke checks passed"
 
       - name: Cleanup env file
+        # LOAD-BEARING: `if: always()` is the linchpin of the ADR-011
+        # single-tenant runner trust model. Every secret in .env.staging
+        # is plain text on the runner filesystem until this step runs.
+        # If a future refactor drops `if: always()`, a failed deploy
+        # leaves the env-file behind. Do not remove this conditional
+        # without first re-evaluating ADR-011.
         if: always()
         run: rm -f .env.staging
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 3d5c99d1..96894fed 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -116,5 +116,11 @@ jobs:
           echo "All smoke checks passed"
 
       - name: Cleanup env file
+        # LOAD-BEARING: `if: always()` is the linchpin of the ADR-011
+        # single-tenant runner trust model. Every secret in
+        # .env.production is plain text on the runner filesystem until
+        # this step runs. If a future refactor drops `if: always()`, a
+        # failed deploy leaves the env-file behind. Do not remove this
+        # conditional without first re-evaluating ADR-011.
         if: always()
         run: rm -f .env.production