diff --git a/.github/workflows/control-plane.yml b/.github/workflows/control-plane.yml
index ffba497..93e9ffb 100644
--- a/.github/workflows/control-plane.yml
+++ b/.github/workflows/control-plane.yml
@@ -21,6 +21,7 @@ on:
           - control-check
           - upstream-monitor
           - fleet-dashboard
+          - alert-test
       repo:
         description: App repo name for control-check mode
         required: false
@@ -150,6 +151,21 @@ jobs:
             exit 1
           fi
 
+      - name: Test alert webhook
+        if: ${{ github.event_name == 'workflow_dispatch' && inputs.mode == 'alert-test' }}
+        env:
+          AIO_FLEET_ALERT_WEBHOOK_URL: ${{ secrets.AIO_FLEET_ALERT_WEBHOOK_URL }}
+          DETAILS_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          set -euo pipefail
+          python -m aio_fleet alert doctor --require-alerts --format json
+          python -m aio_fleet alert test \
+            --event upstream-update \
+            --status warning \
+            --summary "aio-fleet Discord alert test" \
+            --details-url "${DETAILS_URL}" \
+            --format json
+
       - name: Poll active repos
         id: poll
         if: ${{ github.event.schedule == '17 * * * *' || inputs.mode == 'poll' }}
diff --git a/tests/test_control_plane_workflow.py b/tests/test_control_plane_workflow.py
index 178f78b..0bab6fa 100644
--- a/tests/test_control_plane_workflow.py
+++ b/tests/test_control_plane_workflow.py
@@ -77,6 +77,29 @@ def test_dashboard_update_scopes_dashboard_tokens() -> None:
     assert "GITHUB_TOKEN" not in dashboard["env"]  # nosec B101
 
 
+def test_alert_test_mode_uses_alert_webhook_secret_only() -> None:
+    workflow = yaml.safe_load(WORKFLOW.read_text())
+    on_config = workflow.get("on", workflow.get(True))
+    mode = on_config["workflow_dispatch"]["inputs"]["mode"]
+    alert_test = _step(workflow["jobs"]["control-plane"], "Test alert webhook")
+
+    assert "alert-test" in mode["options"]  # nosec B101
+    assert (  # nosec B101
+        alert_test["if"]
+        == "${{ github.event_name == 'workflow_dispatch' && inputs.mode == 'alert-test' }}"
+    )
+    assert alert_test["env"] == {  # nosec B101
+        "AIO_FLEET_ALERT_WEBHOOK_URL": "${{ secrets.AIO_FLEET_ALERT_WEBHOOK_URL }}",
+        "DETAILS_URL": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
+    }
+    assert (
+        "alert doctor --require-alerts --format json" in alert_test["run"]
+    )  # nosec B101
+    assert "alert test" in alert_test["run"]  # nosec B101
+    assert "aio-fleet Discord alert test" in alert_test["run"]  # nosec B101
+    assert "--dry-run" not in alert_test["run"]  # nosec B101
+
+
 def test_app_code_checkouts_do_not_persist_credentials() -> None:
     workflow = yaml.safe_load(WORKFLOW.read_text())