From a5a2895725301ab9fcdf9b30491f9bc21678d70f Mon Sep 17 00:00:00 2001
From: Claude <claude@kuns.dev>
Date: Thu, 30 Apr 2026 12:20:51 +0000
Subject: [PATCH] fix(ci): use NPM_PUBLISH_TOKEN for Gitea npm registry auth

The auto-generated secrets.GITEA_TOKEN lacks write:package scope,
causing npm publish to fail with E401. Use a dedicated repo secret
NPM_PUBLISH_TOKEN with a personal access token that has write:package.
---
 .gitea/workflows/release-node.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/release-node.yml b/.gitea/workflows/release-node.yml
index 084803f..b97b369 100644
--- a/.gitea/workflows/release-node.yml
+++ b/.gitea/workflows/release-node.yml
@@ -58,9 +58,13 @@ jobs:
 
       - name: Configure npm auth for Gitea
         env:
-          NPM_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
         run: |
           set -euo pipefail
+          if [ -z "${NPM_TOKEN:-}" ]; then
+            echo "::error::NPM_PUBLISH_TOKEN secret is not set (needs Gitea token with write:package scope)" >&2
+            exit 1
+          fi
           echo "@kuns:registry=https://${NPM_REGISTRY_HOST}" > .npmrc
           echo "//${NPM_REGISTRY_HOST}:_authToken=${NPM_TOKEN}" >> .npmrc