fix(release): require RELEASE_PAT for tag and release updates

Stop using GITHUB_TOKEN/GITEA_TOKEN fallbacks in prepare/do-release/publish mutation paths. Require explicit PAT wiring via secrets.RELEASE_PAT for commit/push/tag and release update operations so downstream workflows trigger reliably.

.gitea/workflows/do-release.yml

@@ -28,7 +28,7 @@ jobs:
       run:
         shell: bash
     env:
-      RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
+      RELEASE_TOKEN: ${{ secrets.RELEASE_PAT }}
       SUMMARY_FILE: ${{ runner.temp }}/do-release-summary.md
     steps:
       - name: Checkout
@@ -137,7 +137,7 @@ jobs:
           set -euo pipefail
 
           if [[ -z "${RELEASE_TOKEN:-}" ]]; then
-            echo "No release token available. Set GITEA_TOKEN (or GITHUB_TOKEN on GitHub)." >&2
+            echo "No release token available. Set secrets.RELEASE_PAT." >&2
             exit 1
           fi
 
@@ -163,7 +163,7 @@ jobs:
         id: publish
         uses: ./publish
         with:
-          token: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
+          token: ${{ secrets.RELEASE_PAT }}
           version: ${{ steps.resolve-version.outputs.version }}
 
       - name: Build release binaries
@@ -284,7 +284,7 @@ jobs:
 
       - name: Download released binary
         env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
+          TOKEN: ${{ secrets.RELEASE_PAT }}
           TAG_NAME: ${{ needs.release.outputs.tag }}
           RELEASE_VERSION: ${{ needs.release.outputs.version }}
           ASSET_ARCH: ${{ matrix.asset_arch }}