Fixes?

docs/workflow.md

@@ -256,6 +256,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          token: ${{ secrets.STAMP_GITEA_TOKEN }}
 
       - name: Configure git
         run: |
@@ -268,9 +269,9 @@ jobs:
       - name: Create or update release PR
         run: stamp release-pr --base=main
         env:
-          GITEA_TOKEN:    ${{ secrets.GITEA_TOKEN }}
-          GITEA_BASE_URL: ${{ gitea.server_url }}
-          STAMP_REPO:     ${{ gitea.repository }}
+          STAMP_GITEA_TOKEN: ${{ secrets.STAMP_GITEA_TOKEN }}
+          GITEA_BASE_URL:    ${{ gitea.server_url }}
+          STAMP_REPO:        ${{ gitea.repository }}
 ```
 
 **Job 2: publish after the release PR is merged**
@@ -290,6 +291,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          token: ${{ secrets.STAMP_GITEA_TOKEN }}
 
       - name: Configure git
         run: |
@@ -302,12 +304,12 @@ jobs:
       - name: Publish releases
         run: stamp publish
         env:
-          GITEA_TOKEN:    ${{ secrets.GITEA_TOKEN }}
-          GITEA_BASE_URL: ${{ gitea.server_url }}
-          STAMP_REPO:     ${{ gitea.repository }}
+          STAMP_GITEA_TOKEN: ${{ secrets.STAMP_GITEA_TOKEN }}
+          GITEA_BASE_URL:    ${{ gitea.server_url }}
+          STAMP_REPO:        ${{ gitea.repository }}
 ```
 
-> **Note on `GITEA_TOKEN`:** Gitea Actions does not automatically inject a token the way GitHub Actions does. You must create a personal access token (or a bot account token) in your Gitea account settings with repository read/write permissions, then store it as a repository secret named `GITEA_TOKEN`.
+> **Note on `STAMP_GITEA_TOKEN`:** Gitea Actions auto-injects a `GITEA_TOKEN` for each run, but that token has limited scopes and cannot create PRs or post comments. Because `GITEA_TOKEN` is a reserved name you cannot override it with a secret of the same name. Instead, create a PAT in your Gitea account settings with **`repository` (read/write)** and **`issue` (read/write)** scopes, then store it as a repository secret named `STAMP_GITEA_TOKEN`. stamp reads `STAMP_GITEA_TOKEN` first and falls back to `GITEA_TOKEN`.
 
 ---
 
@@ -366,9 +368,9 @@ jobs:
       - name: Comment on PR
         run: stamp comment --pr=${{ gitea.event.pull_request.number }}
         env:
-          GITEA_TOKEN:    ${{ secrets.GITEA_TOKEN }}
-          GITEA_BASE_URL: ${{ gitea.server_url }}
-          STAMP_REPO:     ${{ gitea.repository }}
+          STAMP_GITEA_TOKEN: ${{ secrets.STAMP_GITEA_TOKEN }}
+          GITEA_BASE_URL:    ${{ gitea.server_url }}
+          STAMP_REPO:        ${{ gitea.repository }}
 ```
 
 ---
@@ -479,5 +481,6 @@ Tag format: `<name>@v<version>` for monorepos (e.g. `my-app@v1.3.0`), or `v<vers
 |----------|---------|
 | `STAMP_REPO` | Repository slug `owner/repo` — required for `publish`, `comment`, and `release-pr` |
 | `GITHUB_TOKEN` | GitHub token — automatically injected by GitHub Actions; no setup needed |
-| `GITEA_TOKEN` | Gitea access token — must be created manually and stored as a secret |
+| `GITEA_TOKEN` | Auto-injected by Gitea Actions with limited scopes — **do not use this for stamp** |
+| `STAMP_GITEA_TOKEN` | PAT you create manually with `repository` (read/write) and `issue` (read/write) scopes. The name `GITEA_TOKEN` is reserved by Gitea Actions, so a different name is required. |
 | `GITEA_BASE_URL` | Gitea instance URL (e.g. `https://gitea.example.com`) — presence of this variable also activates Gitea mode |