Status: OUT
Secret Manager's Pub/Sub-based rotation notification creates a fragile end-to-end chain: rotation triggers are notification-only (no actual value change), delivery to Cloud Run depends on push subscriptions (one message per request, SSL required), and Pub/Sub's exactly-once guarantee is pull-only — meaning rotation events to serverless consumers may duplicate or be lost, undermining the rotation lifecycle that Secret Manager delegates entirely to application code.