diff --git a/runner/run_recipe_ci.py b/runner/run_recipe_ci.py
index ee719f3..dfa49c0 100644
--- a/runner/run_recipe_ci.py
+++ b/runner/run_recipe_ci.py
@@ -951,6 +951,13 @@ def promote_canonical(
     meta = meta_mod.load(recipe)
     # The cold run's deploy-count was already asserted + the countfile removed; don't perturb it.
     os.environ.pop("CCCI_DEPLOY_COUNT_FILE", None)
+    # FRESH SEED only (no existing canonical): clear any leftover warm-<recipe> stack state from a
+    # PRIOR FAILED promote attempt (secrets/.env/partial volumes). Without this, a recipe whose
+    # install_steps inserts a non-generatable secret (e.g. drone's gitea client_secret) FATAs
+    # "secret … already exists" on the retry, so a once-failed promote can never recover. A
+    # re-promote (canonical EXISTS) must NOT teardown — it reattaches its retained known-good volume.
+    if not canonical.read_registry(recipe):
+        lifecycle.teardown_app(canonical.canonical_domain(recipe), verify=False)
     # Pristine tree at the tag: discard the cold run's tier mutations + untracked overlay so the
     # pinned `abra app new` clean-tree gate passes (deploy_app re-applies the overlay + auto-chaos).
     abra.recipe_checkout(recipe, version)