diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3c3e436..6e2c6a2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,6 +121,8 @@ jobs:
 
       - name: Start Agnes from built image
         run: |
+          # Create empty .env (docker-compose.yml requires env_file: .env, gitignored)
+          touch .env
           # Use prod compose (GHCR images) + CI overlay (test secrets)
           export AGNES_TAG="${{ needs.build-and-push.outputs.image_tag }}"
           docker compose -f docker-compose.yml -f docker-compose.prod.yml -f docker-compose.ci.yml up -d app
diff --git a/app/secrets.py b/app/secrets.py
index 3dbcec9..41f837d 100644
--- a/app/secrets.py
+++ b/app/secrets.py
@@ -15,7 +15,10 @@ def _load_or_generate(env_var: str, file_name: str) -> str:
     data_dir = Path(os.environ.get("DATA_DIR", "./data"))
     secret_path = data_dir / "state" / file_name
     if secret_path.exists():
-        return secret_path.read_text().strip()
+        val = secret_path.read_text().strip()
+        if val:
+            return val
+        logger.warning("Secret file %s is empty, regenerating", secret_path)
     secret_path.parent.mkdir(parents=True, exist_ok=True)
     val = secrets.token_hex(32)
     secret_path.write_text(val)