diff --git a/.gitea/workflows/secrets.yml b/.gitea/workflows/secrets.yml
index a4b15e2..f331475 100644
--- a/.gitea/workflows/secrets.yml
+++ b/.gitea/workflows/secrets.yml
@@ -48,6 +48,18 @@ jobs:
           echo "version=${version}" >> "$GITHUB_OUTPUT"
           echo "tag=${tag}" >> "$GITHUB_OUTPUT"
 
+          # 版本 bump 硬检查：若本次推送包含 crates/ 或 Cargo.toml 变更，
+          # 但版本号与上一提交一致，则视为未发版，直接失败。
+          prev_version=$(git show HEAD^:crates/secrets-mcp/Cargo.toml 2>/dev/null | grep -m1 '^version' | sed 's/.*"\(.*\)".*/\1/' || true)
+          if [ -n "$prev_version" ] && [ "$version" = "$prev_version" ]; then
+            # 确认本次推送是否包含 crates/ 或 Cargo.toml 变更
+            if git diff --name-only HEAD^ HEAD 2>/dev/null | grep -qE '^crates/|^Cargo\.toml$'; then
+              echo "::error::工作区包含 crates/ 或 Cargo.toml 变更，但版本号未 bump（${version} == ${prev_version}）"
+              echo "按规则，每次代码变更必须 bump crates/secrets-mcp/Cargo.toml 中的 version。"
+              exit 1
+            fi
+          fi
+
           if git rev-parse "refs/tags/${tag}" >/dev/null 2>&1; then
             echo "⚠ 版本 ${tag} 已存在，将覆盖重新发版。"
             echo "tag_exists=true" >> "$GITHUB_OUTPUT"