diff --git a/.drone.yml b/.drone.yml
index 5d81dd3..4fb0c27 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -273,7 +273,7 @@ environment:
 
 steps:
   - name: renovate
-    image: renovate/renovate:43.48
+    image: renovate/renovate:43.46
     environment:
       RENOVATE_CONFIG_FILE: "renovate_backend_config.js"
       RENOVATE_TOKEN:
diff --git a/lib/mv/config.ex b/lib/mv/config.ex
index 8b8c088..ec69b18 100644
--- a/lib/mv/config.ex
+++ b/lib/mv/config.ex
@@ -360,29 +360,13 @@ defmodule Mv.Config do
   end
 
   @doc """
-  Returns the OIDC client secret.
-  In production, uses the value from config :mv, :oidc (set by runtime.exs from OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE).
-  Otherwise ENV OIDC_CLIENT_SECRET, then Settings.
+  Returns the OIDC client secret. ENV first, then Settings.
   """
   @spec oidc_client_secret() :: String.t() | nil
   def oidc_client_secret do
-    case Application.get_env(:mv, :oidc) do
-      oidc when is_list(oidc) -> oidc_client_secret_from_config(Keyword.get(oidc, :client_secret))
-      _ -> env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
-    end
+    env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
   end
 
-  defp oidc_client_secret_from_config(nil),
-    do: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
-
-  defp oidc_client_secret_from_config(secret) when is_binary(secret) do
-    s = String.trim(secret)
-    if s != "", do: s, else: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
-  end
-
-  defp oidc_client_secret_from_config(_),
-    do: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
-
   @doc """
   Returns the OIDC admin group name (for role sync). ENV first, then Settings.
   """
@@ -442,10 +426,7 @@ defmodule Mv.Config do
   def oidc_client_id_env_set?, do: env_set?("OIDC_CLIENT_ID")
   def oidc_base_url_env_set?, do: env_set?("OIDC_BASE_URL")
   def oidc_redirect_uri_env_set?, do: env_set?("OIDC_REDIRECT_URI")
-
-  def oidc_client_secret_env_set?,
-    do: env_set?("OIDC_CLIENT_SECRET") or env_set?("OIDC_CLIENT_SECRET_FILE")
-
+  def oidc_client_secret_env_set?, do: env_set?("OIDC_CLIENT_SECRET")
   def oidc_admin_group_name_env_set?, do: env_set?("OIDC_ADMIN_GROUP_NAME")
   def oidc_groups_claim_env_set?, do: env_set?("OIDC_GROUPS_CLAIM")
   def oidc_only_env_set?, do: env_set?("OIDC_ONLY")