diff --git a/db/docs/batched_background_migrations/encrypt_missed_ci_runner_tokens.yml b/db/docs/batched_background_migrations/encrypt_missed_ci_runner_tokens.yml
index 60fe79f09a48956644b6464a4d9fa2cb63f90dcc..670f7088a9a2805ebb53b08ab834196766018d97 100644
--- a/db/docs/batched_background_migrations/encrypt_missed_ci_runner_tokens.yml
+++ b/db/docs/batched_background_migrations/encrypt_missed_ci_runner_tokens.yml
@@ -1,11 +1,14 @@
 ---
 migration_job_name: EncryptMissedCiRunnerTokens
-description: >
-  We've encrypted plain tokens and migrated to token_encrypted (in milestone 11.6), so we need to remove the runner token column
-  and make encryption required (currently optional). However, plain tokens remain unencrypted in gitlab_com and likely in self-managed instances.
-  We must encrypt these remaining tokens and nullify them before removing the column completely.
+description: 'We''ve encrypted plain tokens and migrated to token_encrypted (in milestone
+  11.6), so we need to remove the runner token column and make encryption required
+  (currently optional). However, plain tokens remain unencrypted in gitlab_com and
+  likely in self-managed instances. We must encrypt these remaining tokens and nullify
+  them before removing the column completely.
+
+  '
 feature_category: fleet_visibility
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196265
 milestone: '18.2'
 queued_migration_version: 20250630163722
-finalized_by: # to be updated
+finalized_by: '20250717233346'
diff --git a/db/post_migrate/20250717233346_finalize_hk_encrypt_missed_ci_runner_tokens.rb b/db/post_migrate/20250717233346_finalize_hk_encrypt_missed_ci_runner_tokens.rb
new file mode 100644
index 0000000000000000000000000000000000000000..18c80b595def134541e2e4dc72970ff3bff3dc34
--- /dev/null
+++ b/db/post_migrate/20250717233346_finalize_hk_encrypt_missed_ci_runner_tokens.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class FinalizeHkEncryptMissedCiRunnerTokens < Gitlab::Database::Migration[2.3]
+  milestone '18.3'
+
+  disable_ddl_transaction!
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_ci
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'EncryptMissedCiRunnerTokens',
+      table_name: :ci_runners,
+      column_name: :id,
+      job_arguments: [],
+      finalize: true
+    )
+  end
+
+  def down; end
+end
diff --git a/db/schema_migrations/20250717233346 b/db/schema_migrations/20250717233346
new file mode 100644
index 0000000000000000000000000000000000000000..1bc603fd12c3078ffe54b7449636a111ac7d39e6
--- /dev/null
+++ b/db/schema_migrations/20250717233346
@@ -0,0 +1 @@
+fde3ea0eee6af69f6c2738a6a92e806d65cb7ae733e18ce23cab219298b518ee
\ No newline at end of file