diff --git a/.woodpecker.yml b/.woodpecker.yml
index 2433db0..1ea90b8 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -1,11 +1,13 @@
-# Woodpecker CI - All 21 services + migrate run in parallel via matrix
-# Woodpecker executes each matrix entry as a separate pipeline concurrently
+# Woodpecker CI - Build all services + update GitOps with image digests
+#
+# Secrets required in Woodpecker:
+# - REGISTRY_HOSTPORT, REGISTRY_USERNAME, REGISTRY_PASSWORD (existing)
+# - GITOPS_REPO_URL, GITOPS_BRANCH, GITOPS_TOKEN, GITOPS_USERNAME, GITOPS_EMAIL
 
 when:
   branch: [main, high-performance]
   event: push
 
-# Limit concurrent pipelines to avoid overwhelming resources
 concurrency:
   limit: 4
 
@@ -56,8 +58,54 @@ steps:
       platforms: linux/amd64
       cache: false
 
+  - name: update-gitops
+    image: alpine:latest
+    environment:
+      GITOPS_REPO_URL:
+        from_secret: GITOPS_REPO_URL
+      GITOPS_BRANCH:
+        from_secret: GITOPS_BRANCH
+      GITOPS_TOKEN:
+        from_secret: GITOPS_TOKEN
+    commands:
+      - |
+        set -e
+        apk add --no-cache git bash sed
+
+        SERVICE_IMAGE="registry.nxtgauge.com:5000/nxtgauge-rust-${SERVICE}:${CI_COMMIT_SHA}"
+        echo "Service: ${SERVICE}, Image: ${SERVICE_IMAGE}"
+
+        # Clone gitops repo
+        GIT_REPO=$(echo "${GITOPS_REPO_URL}" | sed 's|https://||')
+        git clone "https://x-access-token:${GITOPS_TOKEN}@${GIT_REPO}" /tmp/gitops
+        cd /tmp/gitops
+        git checkout ${GITOPS_BRANCH:-main}
+
+        # Find and update the image in backend overlay
+        BACKEND_OVERLAY="apps/nxtgauge-backend-rust/overlays/prod"
+        if [ -f "${BACKEND_OVERLAY}/kustomization.yaml" ]; then
+          # Update to use SHA tag
+          sed -i "s|image: registry.nxtgauge.com:5000/nxtgauge-rust-${SERVICE}:.*|image: registry.nxtgauge.com:5000/nxtgauge-rust-${SERVICE}:${CI_COMMIT_SHA}|" \
+            ${BACKEND_OVERLAY}/kustomization.yaml
+          echo "Updated ${SERVICE} in ${BACKEND_OVERLAY}/kustomization.yaml"
+        fi
+
+        # Commit if changed
+        if ! git diff --quiet; then
+          git add -A
+          git commit -m "ci: update ${SERVICE} to ${CI_COMMIT_SHA:0:8}"
+          git push origin ${GITOPS_BRANCH:-main}
+          echo "Pushed GitOps update"
+        else
+          echo "No changes to push"
+        fi
+    when:
+      status: success
+      matrix:
+        SERVICE: [gateway, users]
+
 ---
-# Separate pipeline for database migrations (runs independently)
+# Database migrations pipeline
 when:
   branch: [main, high-performance]
   event: push