From 4629796a75f3f77c58b83cc9f07bab6aee8deacf Mon Sep 17 00:00:00 2001
From: Will Anderson <will@neuralplatform.ai>
Date: Sat, 2 May 2026 12:54:35 -0500
Subject: [PATCH] ci: use CHECKOUT_TOKEN repo secret for cross-repo engram-lang
 checkout

The auto-issued GITHUB_TOKEN is scoped to the current repo only, so
cross-repo actions/checkout needs an explicit token. CHECKOUT_TOKEN
holds an admin-scoped Gitea API token; long-term we should switch to
a dedicated read-only PAT.
---
 .gitea/workflows/deploy.yaml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index c1dc3ce..8dcf125 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -42,10 +42,12 @@ jobs:
           repository: neuron-technologies/engram-lang
           path: engram-lang
           fetch-depth: 1
-          # Gitea Actions auto-issues GITHUB_TOKEN scoped to the workflow run.
-          # That token has read access to other repos in the same org by
-          # default, so cross-repo checkout just works.
-          token: ${{ secrets.GITHUB_TOKEN }}
+          # Gitea-issued GITHUB_TOKEN is workflow-scoped to the current repo
+          # only. Cross-repo checkout needs a token with read access to
+          # neuron-technologies/engram-lang. CHECKOUT_TOKEN holds Will's
+          # admin API token (sourced from ~/Secrets/api-keys/gitea-api-token).
+          # Long-term: provision a dedicated read-only PAT.
+          token: ${{ secrets.CHECKOUT_TOKEN }}
 
       - name: Stage engram-lang as foundation/el for build-stage.sh
         run: |