fix(release): require RELEASE_PAT for tag and release updates

Stop using GITHUB_TOKEN/GITEA_TOKEN fallbacks in prepare/do-release/publish mutation paths. Require explicit PAT wiring via secrets.RELEASE_PAT for commit/push/tag and release update operations so downstream workflows trigger reliably.

publish/action.yml

@@ -7,10 +7,9 @@ description: >
 inputs:
   token:
     description: >
-      Token used to authenticate release API calls. Defaults to the
-      workflow token.
-    required: false
-    default: ''
+      Personal access token used to authenticate release API calls.
+      Required to support release updates across workflow boundaries.
+    required: true
   version:
     description: >
       Semantic version to publish (with or without leading v). When omitted,
@@ -91,7 +90,7 @@ runs:
       id: create-release
       shell: bash
       env:
-        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        TOKEN: ${{ inputs.token }}
         TAG_NAME: ${{ steps.resolve-version.outputs.tag }}
         RELEASE_NOTES_FILE: ${{ steps.write-notes.outputs.notes_file }}
         GITHUB_API_URL: ${{ github.api_url }}
@@ -101,6 +100,11 @@ runs:
       run: |
         set -euo pipefail
 
+        if [[ -z "${TOKEN:-}" ]]; then
+          echo "inputs.token is required (set to secrets.RELEASE_PAT)." >&2
+          exit 1
+        fi
+
         release_notes="$(cat "$RELEASE_NOTES_FILE")"
         escaped_release_notes="$(printf '%s' "$release_notes" | sed 's/\\/\\\\/g; s/"/\\"/g; :a;N;$!ba;s/\n/\\n/g')"
         release_api="${GITHUB_API_URL:-${GITHUB_SERVER_URL%/}/api/v1}/repos/${GITHUB_REPOSITORY}/releases"