fix(release): require RELEASE_PAT for tag and release updates

Stop using GITHUB_TOKEN/GITEA_TOKEN fallbacks in prepare/do-release/publish mutation paths. Require explicit PAT wiring via secrets.RELEASE_PAT for commit/push/tag and release update operations so downstream workflows trigger reliably.

.gitea/workflows/do-release.yml

@@ -28,7 +28,7 @@ jobs:
       run:
         shell: bash
     env:
-      RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
+      RELEASE_TOKEN: ${{ secrets.RELEASE_PAT }}
       SUMMARY_FILE: ${{ runner.temp }}/do-release-summary.md
     steps:
       - name: Checkout
@@ -137,7 +137,7 @@ jobs:
           set -euo pipefail
 
           if [[ -z "${RELEASE_TOKEN:-}" ]]; then
-            echo "No release token available. Set GITEA_TOKEN (or GITHUB_TOKEN on GitHub)." >&2
+            echo "No release token available. Set secrets.RELEASE_PAT." >&2
             exit 1
           fi
 
@@ -163,7 +163,7 @@ jobs:
         id: publish
         uses: ./publish
         with:
-          token: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
+          token: ${{ secrets.RELEASE_PAT }}
           version: ${{ steps.resolve-version.outputs.version }}
 
       - name: Build release binaries
@@ -284,7 +284,7 @@ jobs:
 
       - name: Download released binary
         env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
+          TOKEN: ${{ secrets.RELEASE_PAT }}
           TAG_NAME: ${{ needs.release.outputs.tag }}
           RELEASE_VERSION: ${{ needs.release.outputs.version }}
           ASSET_ARCH: ${{ matrix.asset_arch }}

.gitea/workflows/prepare-release.yml

@@ -124,6 +124,7 @@ jobs:
           VOCIFERATE_CACHE_TOKEN: ${{ steps.cache-token.outputs.value }}
         with:
           version: ${{ steps.resolve-version.outputs.tag }}
+          token: ${{ secrets.RELEASE_PAT }}
           git-add-files: CHANGELOG.md release-version README.md AGENTS.md
 
       - name: Summarize prepared release

AGENTS.md

@@ -30,7 +30,7 @@ Apply these checks before invoking actions:
 
 - Checkout repository first.
 - For prepare/publish flows that depend on tags/history, use full history checkout (`fetch-depth: 0`).
-- Use valid credentials for release/comment API calls. On GitHub, `secrets.GITHUB_TOKEN` is used; on self-hosted Gitea, set `secrets.GITEA_TOKEN`.
+- Use `secrets.RELEASE_PAT` for release/tag/update operations (prepare/publish/do-release) so tag pushes trigger downstream workflows reliably.
 - `do-release` and `decorate-pr` now run preflight API checks and fail fast when token credentials are missing or insufficient.
 - Set required vars/secrets for coverage uploads:
   - `vars.ARTEFACT_BUCKET_NAME`

CHANGELOG.md

@@ -30,6 +30,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - `publish` now extracts tagged release notes through the `vociferate` Go CLI instead of duplicating changelog section parsing in shell.
 - Composite actions now share a centralized `run-vociferate` orchestration flow, with binary-versus-source execution delegated through shared composite actions and single-use runtime/download logic folded back into `run-vociferate.binary`.
 - `run-vociferate` now contains both binary and source execution flows directly in a single action implementation, removing nested local action wrappers for better runner compatibility.
+- Release automation now requires `secrets.RELEASE_PAT` for prepare/publish/do-release operations instead of defaulting to `GITHUB_TOKEN`/`GITEA_TOKEN`.
 
 ### Removed
 
@@ -40,6 +41,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - Fixed version resolution in `do-release` workflow by moving version calculation before checkout, resolving from inputs/git tags, and always passing explicit version to `publish` action.
 - Fixed tag detection in `do-release` to prioritize the tag at current HEAD (created by `prepare-release`) over the globally latest tag, ensuring correct version is detected when called from `prepare-release` workflow.
 - Fixed `do-release` workflow_call resolution on Teacup runners by explicitly falling back to `needs.prepare.outputs.tag` and normalizing `%!t(string=...)` wrapped values before choosing a release tag.
+- Fixed release-chain triggering by using a PAT for release commit/tag pushes so downstream release workflows are triggered reliably.
 - Made `publish` action version resolution more robust with clearer error messages when version input is missing and workflow is not running from a tag push.
 - Fixed `do-release` workflow to always checkout the resolved release tag, eliminating conditional checkout logic that could skip the checkout when called from `prepare-release` workflow.
 - Pinned `securego/gosec` and `golang/govulncheck-action` to concrete version tags (`v2.22.4` and `v1.0.4`) so self-hosted Gitea runners can resolve them via direct git clone without relying on the GitHub Actions floating-tag API.

README.md

@@ -63,13 +63,14 @@ and `version-pattern`:
 ```yaml
 - uses: https://git.hrafn.xyz/aether/vociferate/prepare@v1.0.2
   with:
+    token: ${{ secrets.RELEASE_PAT }}
     version-file: internal/myapp/version/version.go
     version-pattern: 'const Version = "([^"]+)"'
     git-add-files: CHANGELOG.md internal/myapp/version/version.go
 ```
 
-`prepare` uses `github.token` internally for authenticated fetch/push operations,
-so no token input is required.
+`prepare` requires a PAT input for authenticated commit/push/tag operations.
+Pass `token: ${{ secrets.RELEASE_PAT }}` when invoking the action.
 
 ### `publish` — create release with changelog notes
 
@@ -96,9 +97,8 @@ Gitea/GitHub release with those notes. The `version` input is optional — when
 omitted it is derived from the current tag ref automatically.
 
 The reusable `Do Release` workflow now runs preflight checks before publish to
-fail fast when the release token is missing or lacks API access. On
-self-hosted Gitea, set `secrets.GITEA_TOKEN`; on GitHub, `secrets.GITHUB_TOKEN`
-is used automatically.
+fail fast when the release token is missing or lacks API access. Set
+`secrets.RELEASE_PAT` and use it for prepare/publish release operations.
 
 The `publish` action outputs `release-id` so you can upload additional release
 assets after it runs:
@@ -110,7 +110,7 @@ assets after it runs:
 - name: Upload my binary
   run: |
     curl --fail-with-body -X POST \
-      -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+      -H "Authorization: token ${{ secrets.RELEASE_PAT }}" \
       -H "Content-Type: application/octet-stream" \
       "${{ github.api_url }}/repos/${{ github.repository }}/releases/${{ steps.publish.outputs.release-id }}/assets?name=myapp" \
       --data-binary "@dist/myapp"

prepare/action.yml

@@ -42,6 +42,11 @@ inputs:
       custom version-file.
     required: false
     default: 'CHANGELOG.md release-version'
+  token:
+    description: >
+      Personal access token used to authenticate commit, push, and tag
+      operations. Required to ensure downstream workflows trigger on tag push.
+    required: true
 
 outputs:
   version:
@@ -114,7 +119,7 @@ runs:
     - name: Commit and push release
       shell: bash
       env:
-        TOKEN: ${{ github.token }}
+        TOKEN: ${{ inputs.token }}
         GIT_USER_NAME: ${{ inputs.git-user-name }}
         GIT_USER_EMAIL: ${{ inputs.git-user-email }}
         GIT_ADD_FILES: ${{ inputs.git-add-files }}
@@ -124,6 +129,11 @@ runs:
       run: |
         set -euo pipefail
 
+        if [[ -z "${TOKEN:-}" ]]; then
+          echo "A release PAT is required. Provide inputs.token (for example secrets.RELEASE_PAT)." >&2
+          exit 1
+        fi
+
         case "$GITHUB_SERVER_URL" in
           https://*)
             authed_remote="https://oauth2:${TOKEN}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git"

publish/action.yml

@@ -7,10 +7,9 @@ description: >
 inputs:
   token:
     description: >
-      Token used to authenticate release API calls. Defaults to the
-      workflow token.
-    required: false
-    default: ''
+      Personal access token used to authenticate release API calls.
+      Required to support release updates across workflow boundaries.
+    required: true
   version:
     description: >
       Semantic version to publish (with or without leading v). When omitted,
@@ -91,7 +90,7 @@ runs:
       id: create-release
       shell: bash
       env:
-        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        TOKEN: ${{ inputs.token }}
         TAG_NAME: ${{ steps.resolve-version.outputs.tag }}
         RELEASE_NOTES_FILE: ${{ steps.write-notes.outputs.notes_file }}
         GITHUB_API_URL: ${{ github.api_url }}
@@ -101,6 +100,11 @@ runs:
       run: |
         set -euo pipefail
 
+        if [[ -z "${TOKEN:-}" ]]; then
+          echo "inputs.token is required (set to secrets.RELEASE_PAT)." >&2
+          exit 1
+        fi
+
         release_notes="$(cat "$RELEASE_NOTES_FILE")"
         escaped_release_notes="$(printf '%s' "$release_notes" | sed 's/\\/\\\\/g; s/"/\\"/g; :a;N;$!ba;s/\n/\\n/g')"
         release_api="${GITHUB_API_URL:-${GITHUB_SERVER_URL%/}/api/v1}/repos/${GITHUB_REPOSITORY}/releases"