diff --git a/modules/drone.nix b/modules/drone.nix
index 4e1ed99..839db4a 100644
--- a/modules/drone.nix
+++ b/modules/drone.nix
@@ -39,7 +39,12 @@ let
       }
       set_env LETS_ENCRYPT_ENV ""
       set_env EXTRA_DOMAINS ""
-      set_env DRONE_USER_CREATE "username:autonomic-bot,admin:true"
+      # Inject the bridge's Drone token as the bot's MACHINE TOKEN so it is reproducible on a fresh
+      # Drone DB. Without `token:`, Drone auto-generates a random token that the committed (sops)
+      # bridge_drone_token can't match → on a clean-room rebuild the bridge gets 401 and can't trigger
+      # builds (the original only matched because its token was captured out-of-band post-hoc). Caught
+      # by the E2E-TESTME acceptance test. With `token:`, every rebuild's bot carries the sops token.
+      set_env DRONE_USER_CREATE "username:autonomic-bot,admin:true,token:$(cat /run/secrets/bridge_drone_token)"
       set_env GITEA_DOMAIN "git.autonomic.zone"
       set_env GITEA_CLIENT_ID "${giteaClientId}"
       set_env RPC_SECRET_VERSION "v1"