diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7e96840..d84f8e8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,6 @@ jobs:
   build-and-check:
     runs-on: ubuntu-latest
     env:
-      HUGO_VERSION: "0.162.1"
       HTMLTEST_VERSION: "0.17.0"
     steps:
       - name: Checkout
@@ -32,6 +31,7 @@ jobs:
 
       - name: Install Hugo (extended)
         run: |
+          HUGO_VERSION="$(cat .hugoversion)"   # single source of truth (see also deploy.yml)
           wget -O "${{ runner.temp }}/hugo.deb" \
             "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb"
           sudo dpkg -i "${{ runner.temp }}/hugo.deb"
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 8e736b8..468ff12 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -26,14 +26,7 @@ defaults:
 jobs:
   build:
     runs-on: ubuntu-latest
-    env:
-      HUGO_VERSION: 0.162.1
     steps:
-      - name: Install Hugo CLI
-        run: |
-          wget -O ${{ runner.temp }}/hugo.deb \
-            https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
-          && sudo dpkg -i ${{ runner.temp }}/hugo.deb
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
@@ -45,6 +38,12 @@ jobs:
         uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
         with:
           enablement: true
+      - name: Install Hugo (extended)
+        run: |
+          HUGO_VERSION="$(cat .hugoversion)"   # single source of truth (see also ci.yml)
+          wget -O "${{ runner.temp }}/hugo.deb" \
+            "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb"
+          sudo dpkg -i "${{ runner.temp }}/hugo.deb"
       - name: Refresh release versions (best-effort)
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/hugo-bump.yml b/.github/workflows/hugo-bump.yml
new file mode 100644
index 0000000..9f05f3e
--- /dev/null
+++ b/.github/workflows/hugo-bump.yml
@@ -0,0 +1,62 @@
+name: Bump Hugo
+
+# Dependabot can't track the wget-installed Hugo .deb, so this scheduled job checks for a newer
+# Hugo release and opens a PR updating .hugoversion — the single source of truth read by both
+# ci.yml and deploy.yml. Manual bump: just edit .hugoversion.
+#
+# Note: PRs opened with the built-in GITHUB_TOKEN don't themselves trigger CI (a GitHub
+# limitation), so re-run / push to the bump PR to exercise the strict build before merging.
+
+on:
+  schedule:
+    - cron: "0 8 * * 1" # Mondays 08:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # commit the bump on a branch
+      pull-requests: write # open the PR
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false # zizmor: artipacked
+      - name: Check for a newer Hugo release
+        id: check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          current="$(cat .hugoversion)"
+          latest="$(gh api repos/gohugoio/hugo/releases/latest --jq '.tag_name' | sed 's/^v//')"
+          echo "current=$current" >> "$GITHUB_OUTPUT"
+          echo "latest=$latest" >> "$GITHUB_OUTPUT"
+          if [ "$current" != "$latest" ]; then
+            printf '%s\n' "$latest" > .hugoversion
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Open bump PR
+        if: steps.check.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          base: main
+          branch: chore/bump-hugo
+          delete-branch: true
+          labels: infra
+          commit-message: "ci: bump Hugo ${{ steps.check.outputs.current }} -> ${{ steps.check.outputs.latest }}"
+          title: "ci: bump Hugo to ${{ steps.check.outputs.latest }}"
+          body: |
+            Automated bump of the single-sourced Hugo version in `.hugoversion`:
+            `${{ steps.check.outputs.current }}` → `${{ steps.check.outputs.latest }}`.
+
+            Both `ci.yml` and `deploy.yml` read this file, so the strict build in CI
+            validates the new version. Re-run CI on this PR (GITHUB_TOKEN-opened PRs
+            don't auto-trigger it) before merging.
diff --git a/.hugoversion b/.hugoversion
new file mode 100644
index 0000000..1abeedd
--- /dev/null
+++ b/.hugoversion
@@ -0,0 +1 @@
+0.162.1
diff --git a/README.md b/README.md
index a7db555..3551b3c 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,12 @@ You need [Hugo **extended**](https://gohugo.io/installation/) (≥ 0.162). On ma
 hugo server          # live reload at http://localhost:1313
 ```
 
+CI and the deploy build pin an exact Hugo version in **[`.hugoversion`](.hugoversion)** — a single
+source of truth read by both [`ci.yml`](.github/workflows/ci.yml) and
+[`deploy.yml`](.github/workflows/deploy.yml), so they can't drift. Bump it by editing that one file
+(a weekly [`hugo-bump.yml`](.github/workflows/hugo-bump.yml) job also opens a PR when a newer Hugo
+ships).
+
 ## Build
 
 ```bash