diff --git a/.woodpecker/db.yml b/.woodpecker/db.yml
index f5cb2d5..17c36ab 100644
--- a/.woodpecker/db.yml
+++ b/.woodpecker/db.yml
@@ -31,18 +31,9 @@ steps:
       - chmod 600 secrets/SSH_KEY
       - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
 
-  - name: lock-db
-    image: quay.io/skopeo/stable:latest
-    depends_on: [ secrets ]
-    environment:
-      REGISTRY_URL: registry.sendico.io
-      MONGO_VERSION: latest
-    commands:
-      - bash ci/prod/scripts/lock-db.sh
-
   - name: deploy
     image: alpine:latest
-    depends_on: [ lock-db ]
+    depends_on: [ secrets ]
     commands:
       - |
           set -euo
diff --git a/ci/prod/compose/db.yml b/ci/prod/compose/db.yml
index b7049b1..86bcdfb 100644
--- a/ci/prod/compose/db.yml
+++ b/ci/prod/compose/db.yml
@@ -48,7 +48,7 @@ services:
 
   sendico_db1:
     <<: *common-env
-    image: ${MONGO_IMAGE}
+    image: docker.io/library/mongo:latest
     container_name: sendico_db1
     restart: unless-stopped
     depends_on: { vault-agent-sendico: { condition: service_healthy } }
@@ -70,7 +70,7 @@ services:
 
   sendico_db2:
     <<: *common-env
-    image: ${MONGO_IMAGE}
+    image: docker.io/library/mongo:latest
     container_name: sendico_db2
     restart: unless-stopped
     depends_on: { vault-agent-sendico: { condition: service_healthy } }
@@ -91,7 +91,7 @@ services:
 
   sendico_db3:
     <<: *common-env
-    image: ${MONGO_IMAGE}
+    image: docker.io/library/mongo:latest
     container_name: sendico_db3
     restart: unless-stopped
     depends_on: { vault-agent-sendico: { condition: service_healthy } }
@@ -112,7 +112,7 @@ services:
 
   mongo_setup:
     <<: *common-env
-    image: ${MONGO_IMAGE}
+    image: docker.io/library/mongo:latest
     depends_on:
       sendico_db1: { condition: service_healthy }
       sendico_db2: { condition: service_healthy }
diff --git a/ci/prod/scripts/deploy-db.sh b/ci/prod/scripts/deploy-db.sh
index 31efaae..954d5c3 100755
--- a/ci/prod/scripts/deploy-db.sh
+++ b/ci/prod/scripts/deploy-db.sh
@@ -11,16 +11,13 @@ REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
 ssh -o StrictHostKeyChecking=no "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
 rsync -avz --delete ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
 rsync -avz ci/prod/.env.runtime "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
-rsync -avz ci/prod/env/.env.lock.db "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.lock.db"
 rsync -avz secrets/REGISTRY_USER "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.registry.user"
 rsync -avz secrets/REGISTRY_PASS "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.registry.pass"
-scp -o StrictHostKeyChecking=no .env.lock "$REMOTE_TARGET:${REMOTE_DIR}/.env.lock"
 ssh -o StrictHostKeyChecking=no "$REMOTE_TARGET" REMOTE_DIR="$REMOTE_DIR" <<'EOSSH'
   set -euo pipefail
   cd "${REMOTE_DIR}/compose"
   set -a
   . ../env/.env.runtime
-  . ../env/.env.lock.db
   export REGISTRY_USER="$(cat ../env/.env.registry.user)"
   export REGISTRY_PASS="$(cat ../env/.env.registry.pass)"
   mkdir -p ~/.docker
diff --git a/ci/prod/scripts/lock-db.sh b/ci/prod/scripts/lock-db.sh
deleted file mode 100644
index 3879c0d..0000000
--- a/ci/prod/scripts/lock-db.sh
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-mkdir -p ci/prod/env
-
-# export runtime vars (SSH_HOST etc.) and version info for downstream steps
-set -a
-. ./ci/prod/.env.runtime
-. ./.env.version
-set +a
-
-REGISTRY_URL="${REGISTRY_URL:-}"
-MONGO_VERSION="${MONGO_VERSION:-latest}"
-MONGO_ARCH="${MONGO_ARCH:-linux/amd64}"
-APP_V="${APP_V:-}"
-
-if [ -z "$REGISTRY_URL" ]; then
-  echo "REGISTRY_URL is not set (define in .env.runtime or Woodpecker env)" >&2
-  exit 1
-fi
-if [ -z "$APP_V" ]; then
-  echo "APP_V is not set (version step must run first)" >&2
-  exit 1
-fi
-
-for f in secrets/REGISTRY_USER secrets/REGISTRY_PASS; do
-  if [ ! -s "$f" ]; then
-    echo "missing registry credential: $f" >&2
-    exit 1
-  fi
-done
-
-CREDS="$(cat secrets/REGISTRY_USER):$(cat secrets/REGISTRY_PASS)"
-
-SRC_REF="docker://docker.io/library/mongo:${MONGO_VERSION}"
-DEST_REF="docker://${REGISTRY_URL}/mirror/mongo:${APP_V}"
-
-OS="${MONGO_ARCH%%/*}"
-ARCH="${MONGO_ARCH##*/}"
-
-skopeo copy \
-  --override-os "${OS:-linux}" \
-  --override-arch "${ARCH:-amd64}" \
-  --retry-times 3 \
-  "$SRC_REF" \
-  "$DEST_REF" \
-  --dest-creds "$CREDS"
-
-INSPECT="$(skopeo inspect "$DEST_REF" --creds "$CREDS")"
-DIGEST="$(printf '%s' "$INSPECT" | tr -d '\n' | sed -n 's/.*"Digest"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
-
-if [ -z "$DIGEST" ]; then
-  echo "failed to parse digest from skopeo inspect output" >&2
-  exit 1
-fi
-
-cat <<EOF | tee .env.lock ci/prod/env/.env.lock.db
-MONGO_TAG=${APP_V}
-MONGO_DIGEST=${DIGEST}
-MONGO_IMAGE=${REGISTRY_URL}/mirror/mongo:${APP_V}
-EOF