Is there a way to do this … or do we need to push a changeset?
you only need to push a changeset if you need to modify the yaml configuration to use the new secret. If you are changing an existing secret, these changes will be reflected in all subsequent builds.