diff --git a/.gitea/workflows/docker-publish.yml b/.gitea/workflows/docker-publish.yml
index 81db6c2..9f5fc27 100644
--- a/.gitea/workflows/docker-publish.yml
+++ b/.gitea/workflows/docker-publish.yml
@@ -2,10 +2,8 @@
 # Triggered manually via workflow_dispatch — enter an existing semver tag (e.g. 1.2.3)
 # in the "Release tag" input. The workflow will fail early if the tag does not exist.
 #
-# One-time setup required:
-#   1. Create a Gitea token with "package:write" scope.
-#   2. Add it as a repository secret named GITEA_TOKEN
-#      (Repository → Settings → Secrets → Actions).
+# No secrets required — the automatic gitea.token is used for registry login.
+# Gitea grants it package write access via the permissions block below.
 #
 # After a successful run the image is available at:
 #   <your-gitea-host>/<owner>/<repo>:<version>
@@ -23,6 +21,9 @@ on:
 jobs:
   build-push:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
 
     steps:
       - name: Checkout
@@ -69,7 +70,7 @@ jobs:
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ gitea.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ gitea.token }}
 
       - name: Build and push
         uses: docker/build-push-action@v5