diff --git a/src/cron/store.rs b/src/cron/store.rs
index 3c27272..107e793 100644
--- a/src/cron/store.rs
+++ b/src/cron/store.rs
@@ -304,7 +304,12 @@ pub fn record_run(
 ) -> Result<()> {
     let bounded_output = output.map(truncate_cron_output);
     with_connection(config, |conn| {
-        conn.execute(
+        // Wrap INSERT + pruning DELETE in an explicit transaction so that
+        // if the DELETE fails, the INSERT is rolled back and the run table
+        // cannot grow unboundedly.
+        let tx = conn.unchecked_transaction()?;
+
+        tx.execute(
             "INSERT INTO cron_runs (job_id, started_at, finished_at, status, output, duration_ms)
              VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
             params![
@@ -319,7 +324,7 @@ pub fn record_run(
         .context("Failed to insert cron run")?;
 
         let keep = i64::from(config.cron.max_run_history.max(1));
-        conn.execute(
+        tx.execute(
             "DELETE FROM cron_runs
              WHERE job_id = ?1
                AND id NOT IN (
@@ -331,6 +336,8 @@ pub fn record_run(
             params![job_id, keep],
         )
         .context("Failed to prune cron run history")?;
+
+        tx.commit().context("Failed to commit cron run transaction")?;
         Ok(())
     })
 }