diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index c1dc3ce..8dcf125 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -42,10 +42,12 @@ jobs:
           repository: neuron-technologies/engram-lang
           path: engram-lang
           fetch-depth: 1
-          # Gitea Actions auto-issues GITHUB_TOKEN scoped to the workflow run.
-          # That token has read access to other repos in the same org by
-          # default, so cross-repo checkout just works.
-          token: ${{ secrets.GITHUB_TOKEN }}
+          # Gitea-issued GITHUB_TOKEN is workflow-scoped to the current repo
+          # only. Cross-repo checkout needs a token with read access to
+          # neuron-technologies/engram-lang. CHECKOUT_TOKEN holds Will's
+          # admin API token (sourced from ~/Secrets/api-keys/gitea-api-token).
+          # Long-term: provision a dedicated read-only PAT.
+          token: ${{ secrets.CHECKOUT_TOKEN }}
 
       - name: Stage engram-lang as foundation/el for build-stage.sh
         run: |