diff --git a/.gitea/workflows/docker-publish.yml b/.gitea/workflows/docker-publish.yml
index 9f5fc27..7b63997 100644
--- a/.gitea/workflows/docker-publish.yml
+++ b/.gitea/workflows/docker-publish.yml
@@ -2,8 +2,9 @@
 # Triggered manually via workflow_dispatch — enter an existing semver tag (e.g. 1.2.3)
 # in the "Release tag" input. The workflow will fail early if the tag does not exist.
 #
-# No secrets required — the automatic gitea.token is used for registry login.
-# Gitea grants it package write access via the permissions block below.
+# Requires a repository secret REGISTRY_TOKEN — a Gitea PAT with write:package scope.
+# Create it at: Settings → Applications → Generate Token (scope: write:package)
+# Then add it: Repository → Settings → Secrets → Actions → REGISTRY_TOKEN
 #
 # After a successful run the image is available at:
 #   <your-gitea-host>/<owner>/<repo>:<version>
@@ -70,7 +71,7 @@ jobs:
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ gitea.actor }}
-          password: ${{ gitea.token }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push
         uses: docker/build-push-action@v5