diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 69932d2..7274ee2 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -28,12 +28,12 @@ jobs:
     runs-on: go
     steps:
       - name: Checkout
+        env:
+          # Gitea Actions doesn't auto-export GITHUB_TOKEN to the shell;
+          # we have to read it from secrets and surface it explicitly.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Public repo — clone without auth. Both Gitea and Forgejo
-          # rejected hardcoded "forgejo-runner"/"x-access-token" basic-auth
-          # formulas; for an unauthenticated read on public repos plain
-          # https works on every server.
-          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .
       - name: Vet
@@ -51,12 +51,12 @@ jobs:
     needs: test
     steps:
       - name: Checkout
+        env:
+          # Gitea Actions doesn't auto-export GITHUB_TOKEN to the shell;
+          # we have to read it from secrets and surface it explicitly.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Public repo — clone without auth. Both Gitea and Forgejo
-          # rejected hardcoded "forgejo-runner"/"x-access-token" basic-auth
-          # formulas; for an unauthenticated read on public repos plain
-          # https works on every server.
-          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .
       - name: Cross-compile drover.exe (windows/amd64)
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index e335308..ad66a2c 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -17,9 +17,10 @@ jobs:
     runs-on: go
     steps:
       - name: Checkout
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Public repo — clone without auth (see build.yml for rationale).
-          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .