2026-06-20 15:30:20 +00:00
88 changed files with 348 additions and 348 deletions
@@ -57,7 +57,7 @@ jobs:
      - name: Determine target repos
        id: repos
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"

@@ -105,7 +105,7 @@ jobs:

      - name: Apply protection rules
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
@@ -84,8 +84,8 @@ jobs:
          echo "Running: php automation/bulk_sync.php ${{ steps.args.outputs.args }}"
          php automation/bulk_sync.php ${{ steps.args.outputs.args }} 2>&1 | tee /tmp/bulk_sync.log
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
          GIT_PLATFORM: gitea
          GITEA_URL: https://git.mokoconsulting.tech
          GITEA_ORG: MokoConsulting
@@ -112,7 +112,7 @@ jobs:
            bash automation/enforce_tags.sh || echo "Tag enforcement had errors (non-fatal)"
          fi
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          GITEA_URL: https://git.mokoconsulting.tech
          GITEA_ORG: MokoConsulting

@@ -57,7 +57,7 @@ jobs:
      - name: Determine target repos
        id: repos
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"

@@ -107,7 +107,7 @@ jobs:
      - name: Run Renovate
        if: steps.repos.outputs.repo_list != ''
        env:
-          RENOVATE_TOKEN: ${{ secrets.GA_TOKEN }}
+          RENOVATE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          RENOVATE_PLATFORM: gitea
          RENOVATE_ENDPOINT: ${{ env.GITEA_URL }}/api/v1
          RENOVATE_GIT_AUTHOR: 'Renovate Bot <renovate@mokoconsulting.tech>'
@@ -31,7 +31,7 @@ jobs:

      - name: Sync all wikis
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
        run: |
          if [ -z "$GH_TOKEN" ]; then
@@ -42,10 +42,10 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
@@ -85,7 +85,7 @@ jobs:
      - name: Check actor permission (admin only)
        id: perm
        env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
          REPO: ${{ github.repository }}
          ACTOR: ${{ github.actor }}
        run: |
@@ -85,7 +85,7 @@ jobs:
      - name: Check actor permission (admin only)
        id: perm
        env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
          REPO: ${{ github.repository }}
          ACTOR: ${{ github.actor }}
        run: |
@@ -32,7 +32,7 @@ jobs:
    steps:
      - name: Assign unassigned issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          ASSIGNEE="jmiller"
@@ -47,7 +47,7 @@ jobs:
    steps:
      - name: Create tracking issue and sub-issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          # For manual dispatch, use input; for auto, use event ref
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
@@ -55,14 +55,14 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 0

      - name: Setup mokoplatform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT }}"}}'
        run: |
          # Ensure PHP + Composer are available
          if ! command -v composer &> /dev/null; then
@@ -287,7 +287,7 @@ jobs:
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git commit -m "chore(release): build ${VERSION} [skip ci]" \
            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
@@ -350,20 +350,20 @@ jobs:
          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"

          # Delete existing release if present (overwrite, not append)
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)

          if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
              "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
              "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
            echo "Deleted previous stable release (id: ${EXISTING_ID})"
          fi

          # Create fresh release
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/json" \
            "${API_BASE}/releases" \
            -d "$(python3 -c "import json; print(json.dumps({
@@ -385,7 +385,7 @@ jobs:
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

          # All ZIPs upload to the major release tag (vXX)
-          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
          if [ -z "$RELEASE_ID" ]; then
@@ -444,7 +444,7 @@ jobs:
          SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)

          # -- Delete existing assets with same name before uploading ------
-          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
            ASSET_ID=$(echo "$ASSETS" | python3 -c "
@@ -455,18 +455,18 @@ jobs:
                  print(a['id']); break
          " 2>/dev/null || true)
            if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
            fi
          done

          # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"/tmp/${ZIP_NAME}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true

-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"/tmp/${TAR_NAME}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
@@ -523,7 +523,7 @@ jobs:
            git push || true

            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            GA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"

            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
@@ -605,7 +605,7 @@ jobs:
          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"

          # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)

@@ -617,7 +617,7 @@ jobs:
          req = urllib.request.Request(
              '${API_BASE}/releases/${RELEASE_ID}',
              data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              headers={'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}', 'Content-Type': 'application/json'},
              method='PATCH'
          )
          urllib.request.urlopen(req)
@@ -629,10 +629,10 @@ jobs:
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
        continue-on-error: true
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -644,7 +644,7 @@ jobs:
          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
          echo "$NOTES" > /tmp/release_notes.md

-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)

          if [ -z "$EXISTING" ]; then
            gh release create "$RELEASE_TAG" \
@@ -661,8 +661,8 @@ jobs:
          # Upload assets to GitHub mirror
          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
            if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
            fi
          done
          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
@@ -671,14 +671,14 @@ jobs:
      - name: "Step 10: Push main to GitHub mirror"
        if: >-
          steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
        continue-on-error: true
        run: |
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git remote add github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git"
          git fetch origin main --depth=1
          git push github origin/main:refs/heads/main --force 2>/dev/null \
            && echo "main branch pushed to GitHub mirror" \
@@ -691,7 +691,7 @@ jobs:
        run: |
          php /tmp/mokoplatform-api/cli/release_cascade.php \
            --stability stable \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
            --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            --gitea-url "${GITEA_URL}" 2>/dev/null || true

@@ -700,7 +700,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"

          # Delete dev branch
          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -724,7 +724,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
          ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
          FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)
@@ -52,7 +52,7 @@ jobs:
      - name: Discover target branches
        id: branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

@@ -93,7 +93,7 @@ jobs:
      - name: Cascade to all target branches
        if: steps.branches.outputs.targets != ''
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          SHORT_SHA="${GITHUB_SHA:0:7}"
@@ -33,11 +33,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Delete merged branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:

      - name: Clean old workflow runs
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -42,10 +42,10 @@ jobs:

      - name: Setup mokoplatform tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git" \
@@ -38,7 +38,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
      # ── Version ──────────────────────────────────────────────────────
      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -212,7 +212,7 @@ jobs:
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.tag_exists != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -43,7 +43,7 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Setup PHP
        run: |
@@ -54,7 +54,7 @@ jobs:

      - name: Setup mokoplatform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
        run: |
          git clone --depth 1 --branch main --quiet             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git"             /tmp/mokoplatform-api
@@ -89,7 +89,7 @@ jobs:
          # Commit version bump
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git diff --cached --quiet || {
            git commit -m "chore(version): bump to ${VERSION} [skip ci]"
@@ -154,7 +154,7 @@ jobs:
          SHA256="${{ steps.zip.outputs.sha256 }}"
          ZIP_NAME="${{ steps.zip.outputs.zip_name }}"
          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          BRANCH=$(git branch --show-current)

@@ -212,13 +212,13 @@ jobs:
      - name: "Sync updates.xml to all branches"
        if: steps.platform.outputs.platform == 'joomla'
        run: |
-          php /tmp/mokoplatform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.GA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
+          php /tmp/mokoplatform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.MOKOGITEA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"

      - name: "Delete lesser pre-release channels (cascade)"
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          STABILITY="${{ steps.meta.outputs.stability }}"

          # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing
@@ -81,7 +81,7 @@ jobs:
      - name: Check actor permission (admin only)
        id: perm
        env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
          REPO: ${{ github.repository }}
          ACTOR: ${{ github.actor }}
        run: |
@@ -67,12 +67,12 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Check actor permission
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          ACTOR="${{ github.actor }}"
          # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
      - name: Reset labels to standard set
        if: steps.tasks.outputs.reset_labels == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
      - name: Delete old sync branches
        if: steps.tasks.outputs.clean_branches == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
      - name: Clean up workflow runs
        if: steps.tasks.outputs.clean_workflows == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
      - name: Delete old workflow run logs
        if: steps.tasks.outputs.clean_logs == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
      - name: Delete old closed issues
        if: steps.tasks.outputs.delete_closed_issues == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -506,8 +506,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -1970,8 +1970,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2042,8 +2042,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2537,7 +2537,7 @@ jobs:
      - name: Create or reopen tracking issue for standards violations
        if: failure()
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"
@@ -44,7 +44,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Set up PHP
@@ -55,8 +55,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -106,7 +106,7 @@ jobs:
            --create-issue \
            --repo "${{ github.repository }}"
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}

      - name: Commit updated files
        if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}
@@ -32,7 +32,7 @@ jobs:
    steps:
      - name: Assign unassigned issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          ASSIGNEE="jmiller"
@@ -47,7 +47,7 @@ jobs:
    steps:
      - name: Create tracking issue and sub-issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          # For manual dispatch, use input; for auto, use event ref
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
@@ -59,13 +59,13 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -275,7 +275,7 @@ jobs:
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.tag_exists != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -52,7 +52,7 @@ jobs:
      - name: Discover target branches
        id: branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

@@ -93,7 +93,7 @@ jobs:
      - name: Cascade to all target branches
        if: steps.branches.outputs.targets != ''
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          SHORT_SHA="${GITHUB_SHA:0:7}"
@@ -84,7 +84,7 @@ jobs:
          # Prefer the org-scoped GH_TOKEN secret (needed for the org membership
          # fallback). Falls back to the built-in github.token so the collaborator
          # endpoint still works even if GH_TOKEN is not configured.
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          ACTOR="${{ github.actor }}"
          REPO="${{ github.repository }}"
@@ -421,8 +421,8 @@ jobs:
      - name: Setup MokoStandards deploy tools
        if: steps.source.outputs.skip == 'false' && steps.remote.outputs.skip != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -647,7 +647,7 @@ jobs:
      - name: Create or update failure issue
        if: failure() && steps.remote.outputs.skip != 'true' && steps.conn.outputs.skip != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"
@@ -89,7 +89,7 @@ jobs:
          # Prefer the org-scoped GH_TOKEN secret (needed for the org membership
          # fallback). Falls back to the built-in github.token so the collaborator
          # endpoint still works even if GH_TOKEN is not configured.
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          ACTOR="${{ github.actor }}"
          REPO="${{ github.repository }}"
@@ -421,8 +421,8 @@ jobs:
      - name: Setup MokoStandards deploy tools
        if: steps.source.outputs.skip == 'false' && steps.remote.outputs.skip != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -38,7 +38,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
      # ── Version ──────────────────────────────────────────────────────
      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -212,7 +212,7 @@ jobs:
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.tag_exists != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -67,12 +67,12 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Check actor permission
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          ACTOR="${{ github.actor }}"
          # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
      - name: Reset labels to standard set
        if: steps.tasks.outputs.reset_labels == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
      - name: Delete old sync branches
        if: steps.tasks.outputs.clean_branches == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
      - name: Clean up workflow runs
        if: steps.tasks.outputs.clean_workflows == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
      - name: Delete old workflow run logs
        if: steps.tasks.outputs.clean_logs == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
      - name: Delete old closed issues
        if: steps.tasks.outputs.delete_closed_issues == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -506,8 +506,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -1970,8 +1970,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2042,8 +2042,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2537,7 +2537,7 @@ jobs:
      - name: Create or reopen tracking issue for standards violations
        if: failure()
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"
@@ -44,7 +44,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Set up PHP
@@ -55,8 +55,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -106,7 +106,7 @@ jobs:
            --create-issue \
            --repo "${{ github.repository }}"
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}

      - name: Commit updated files
        if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}
@@ -32,7 +32,7 @@ jobs:
    steps:
      - name: Assign unassigned issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          ASSIGNEE="jmiller"
@@ -47,7 +47,7 @@ jobs:
    steps:
      - name: Create tracking issue and sub-issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          # For manual dispatch, use input; for auto, use event ref
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
@@ -55,14 +55,14 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 0

      - name: Setup mokoplatform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT }}"}}'
        run: |
          # Ensure PHP + Composer are available
          if ! command -v composer &> /dev/null; then
@@ -287,7 +287,7 @@ jobs:
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git commit -m "chore(release): build ${VERSION} [skip ci]" \
            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
@@ -350,20 +350,20 @@ jobs:
          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"

          # Delete existing release if present (overwrite, not append)
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)

          if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
              "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
              "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
            echo "Deleted previous stable release (id: ${EXISTING_ID})"
          fi

          # Create fresh release
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/json" \
            "${API_BASE}/releases" \
            -d "$(python3 -c "import json; print(json.dumps({
@@ -385,7 +385,7 @@ jobs:
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

          # All ZIPs upload to the major release tag (vXX)
-          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
          if [ -z "$RELEASE_ID" ]; then
@@ -444,7 +444,7 @@ jobs:
          SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)

          # -- Delete existing assets with same name before uploading ------
-          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
            ASSET_ID=$(echo "$ASSETS" | python3 -c "
@@ -455,18 +455,18 @@ jobs:
                  print(a['id']); break
          " 2>/dev/null || true)
            if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
            fi
          done

          # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"/tmp/${ZIP_NAME}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true

-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"/tmp/${TAR_NAME}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
@@ -523,7 +523,7 @@ jobs:
            git push || true

            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            GA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"

            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
@@ -605,7 +605,7 @@ jobs:
          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"

          # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)

@@ -617,7 +617,7 @@ jobs:
          req = urllib.request.Request(
              '${API_BASE}/releases/${RELEASE_ID}',
              data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              headers={'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}', 'Content-Type': 'application/json'},
              method='PATCH'
          )
          urllib.request.urlopen(req)
@@ -629,10 +629,10 @@ jobs:
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
        continue-on-error: true
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -644,7 +644,7 @@ jobs:
          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
          echo "$NOTES" > /tmp/release_notes.md

-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)

          if [ -z "$EXISTING" ]; then
            gh release create "$RELEASE_TAG" \
@@ -661,8 +661,8 @@ jobs:
          # Upload assets to GitHub mirror
          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
            if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
            fi
          done
          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
@@ -671,14 +671,14 @@ jobs:
      - name: "Step 10: Push main to GitHub mirror"
        if: >-
          steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
        continue-on-error: true
        run: |
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git remote add github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git"
          git fetch origin main --depth=1
          git push github origin/main:refs/heads/main --force 2>/dev/null \
            && echo "main branch pushed to GitHub mirror" \
@@ -691,7 +691,7 @@ jobs:
        run: |
          php /tmp/mokoplatform-api/cli/release_cascade.php \
            --stability stable \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
            --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            --gitea-url "${GITEA_URL}" 2>/dev/null || true

@@ -700,7 +700,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"

          # Delete dev branch
          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -724,7 +724,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
          ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
          FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)
@@ -52,7 +52,7 @@ jobs:
      - name: Discover target branches
        id: branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

@@ -93,7 +93,7 @@ jobs:
      - name: Cascade to all target branches
        if: steps.branches.outputs.targets != ''
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          SHORT_SHA="${GITHUB_SHA:0:7}"
@@ -33,11 +33,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Delete merged branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:

      - name: Clean old workflow runs
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -42,10 +42,10 @@ jobs:

      - name: Setup mokoplatform tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git" \
@@ -38,7 +38,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
      # ── Version ──────────────────────────────────────────────────────
      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -212,7 +212,7 @@ jobs:
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.tag_exists != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -43,7 +43,7 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Setup PHP
        run: |
@@ -54,7 +54,7 @@ jobs:

      - name: Setup mokoplatform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
        run: |
          git clone --depth 1 --branch main --quiet             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git"             /tmp/mokoplatform-api
@@ -89,7 +89,7 @@ jobs:
          # Commit version bump
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git diff --cached --quiet || {
            git commit -m "chore(version): bump to ${VERSION} [skip ci]"
@@ -154,7 +154,7 @@ jobs:
          SHA256="${{ steps.zip.outputs.sha256 }}"
          ZIP_NAME="${{ steps.zip.outputs.zip_name }}"
          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          BRANCH=$(git branch --show-current)

@@ -212,13 +212,13 @@ jobs:
      - name: "Sync updates.xml to all branches"
        if: steps.platform.outputs.platform == 'joomla'
        run: |
-          php /tmp/mokoplatform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.GA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
+          php /tmp/mokoplatform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.MOKOGITEA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"

      - name: "Delete lesser pre-release channels (cascade)"
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          STABILITY="${{ steps.meta.outputs.stability }}"

          # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing
@@ -81,7 +81,7 @@ jobs:
      - name: Check actor permission (admin only)
        id: perm
        env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
          REPO: ${{ github.repository }}
          ACTOR: ${{ github.actor }}
        run: |
@@ -67,12 +67,12 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Check actor permission
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          ACTOR="${{ github.actor }}"
          # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
      - name: Reset labels to standard set
        if: steps.tasks.outputs.reset_labels == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
      - name: Delete old sync branches
        if: steps.tasks.outputs.clean_branches == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
      - name: Clean up workflow runs
        if: steps.tasks.outputs.clean_workflows == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
      - name: Delete old workflow run logs
        if: steps.tasks.outputs.clean_logs == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
      - name: Delete old closed issues
        if: steps.tasks.outputs.delete_closed_issues == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -506,8 +506,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -1970,8 +1970,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2042,8 +2042,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2537,7 +2537,7 @@ jobs:
      - name: Create or reopen tracking issue for standards violations
        if: failure()
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"
@@ -44,7 +44,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Set up PHP
@@ -55,8 +55,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -106,7 +106,7 @@ jobs:
            --create-issue \
            --repo "${{ github.repository }}"
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}

      - name: Commit updated files
        if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}
@@ -32,7 +32,7 @@ jobs:
    steps:
      - name: Assign unassigned issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          ASSIGNEE="jmiller"
@@ -47,7 +47,7 @@ jobs:
    steps:
      - name: Create tracking issue and sub-issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          # For manual dispatch, use input; for auto, use event ref
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
@@ -53,14 +53,14 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 0

      - name: Setup mokoplatform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT }}"}}'
        run: |
          # Ensure PHP + Composer are available
          if ! command -v composer &> /dev/null; then
@@ -286,7 +286,7 @@ jobs:
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git commit -m "chore(release): build ${VERSION} [skip ci]" \
            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
@@ -349,20 +349,20 @@ jobs:
          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"

          # Delete existing release if present (overwrite, not append)
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)

          if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
              "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
              "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
            echo "Deleted previous stable release (id: ${EXISTING_ID})"
          fi

          # Create fresh release
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/json" \
            "${API_BASE}/releases" \
            -d "$(python3 -c "import json; print(json.dumps({
@@ -384,7 +384,7 @@ jobs:
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

          # All ZIPs upload to the major release tag (vXX)
-          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
          if [ -z "$RELEASE_ID" ]; then
@@ -443,7 +443,7 @@ jobs:
          SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)

          # -- Delete existing assets with same name before uploading ------
-          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
            ASSET_ID=$(echo "$ASSETS" | python3 -c "
@@ -454,18 +454,18 @@ jobs:
                  print(a['id']); break
          " 2>/dev/null || true)
            if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
            fi
          done

          # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"/tmp/${ZIP_NAME}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true

-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"/tmp/${TAR_NAME}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
@@ -522,7 +522,7 @@ jobs:
            git push || true

            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            GA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"

            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
@@ -604,7 +604,7 @@ jobs:
          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"

          # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)

@@ -616,7 +616,7 @@ jobs:
          req = urllib.request.Request(
              '${API_BASE}/releases/${RELEASE_ID}',
              data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              headers={'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}', 'Content-Type': 'application/json'},
              method='PATCH'
          )
          urllib.request.urlopen(req)
@@ -628,10 +628,10 @@ jobs:
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
        continue-on-error: true
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -643,7 +643,7 @@ jobs:
          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
          echo "$NOTES" > /tmp/release_notes.md

-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)

          if [ -z "$EXISTING" ]; then
            gh release create "$RELEASE_TAG" \
@@ -660,8 +660,8 @@ jobs:
          # Upload assets to GitHub mirror
          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
            if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
            fi
          done
          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
@@ -670,14 +670,14 @@ jobs:
      - name: "Step 10: Push main to GitHub mirror"
        if: >-
          steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
        continue-on-error: true
        run: |
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git remote add github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git"
          git fetch origin main --depth=1
          git push github origin/main:refs/heads/main --force 2>/dev/null \
            && echo "main branch pushed to GitHub mirror" \
@@ -690,7 +690,7 @@ jobs:
        run: |
          php /tmp/mokoplatform-api/cli/release_cascade.php \
            --stability stable \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
            --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            --gitea-url "${GITEA_URL}" 2>/dev/null || true

@@ -699,7 +699,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"

          # Delete dev branch
          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -723,7 +723,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
          ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
          FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)
@@ -52,7 +52,7 @@ jobs:
      - name: Discover target branches
        id: branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

@@ -93,7 +93,7 @@ jobs:
      - name: Cascade to all target branches
        if: steps.branches.outputs.targets != ''
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          SHORT_SHA="${GITHUB_SHA:0:7}"
@@ -33,11 +33,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Delete merged branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:

      - name: Clean old workflow runs
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -42,10 +42,10 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
@@ -38,7 +38,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
      # ── Version ──────────────────────────────────────────────────────
      - name: Setup mokoplatform tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/MokoConsulting/mokoplatform.git" \
@@ -212,7 +212,7 @@ jobs:
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.tag_exists != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -43,7 +43,7 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Setup tools
        run: |
@@ -58,7 +58,7 @@ jobs:
              sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl >/dev/null 2>&1
            fi
            git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
+              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
              /tmp/mokoplatform-api
          fi
          # Set MOKO_CLI to whichever path exists
@@ -110,7 +110,7 @@ jobs:
          # Commit version bump
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git diff --cached --quiet || {
            git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
@@ -225,7 +225,7 @@ jobs:
          SHA256="${{ steps.zip.outputs.sha256 }}"
          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          BRANCH=$(git branch --show-current)

@@ -351,7 +351,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"

          php ${MOKO_CLI}/release_cascade.php \
            --stability "${{ steps.meta.outputs.stability }}" \
@@ -85,7 +85,7 @@ jobs:
      - name: Check actor permission (admin only)
        id: perm
        env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
          REPO: ${{ github.repository }}
          ACTOR: ${{ github.actor }}
        run: |
@@ -67,12 +67,12 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Check actor permission
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          ACTOR="${{ github.actor }}"
          # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
      - name: Reset labels to standard set
        if: steps.tasks.outputs.reset_labels == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
      - name: Delete old sync branches
        if: steps.tasks.outputs.clean_branches == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
      - name: Clean up workflow runs
        if: steps.tasks.outputs.clean_workflows == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
      - name: Delete old workflow run logs
        if: steps.tasks.outputs.clean_logs == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
      - name: Delete old closed issues
        if: steps.tasks.outputs.delete_closed_issues == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -506,8 +506,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -1970,8 +1970,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2042,8 +2042,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2537,7 +2537,7 @@ jobs:
      - name: Create or reopen tracking issue for standards violations
        if: failure()
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"
@@ -44,7 +44,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Set up PHP
@@ -55,8 +55,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -106,7 +106,7 @@ jobs:
            --create-issue \
            --repo "${{ github.repository }}"
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}

      - name: Commit updated files
        if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}
@@ -57,7 +57,7 @@ jobs:
      - name: Determine target repos
        id: repos
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"

@@ -105,7 +105,7 @@ jobs:

      - name: Apply protection rules
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
@@ -37,7 +37,7 @@ jobs:
      - name: Setup mokoplatform
        run: |
          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
+            "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
            /tmp/mokoplatform 2>/dev/null || true

      - name: Read version
@@ -33,11 +33,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Delete merged branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:

      - name: Clean old workflow runs
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -62,7 +62,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 0
          clean: true

@@ -77,7 +77,7 @@ jobs:
      - name: Setup mokoplatform
        run: |
          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
+            "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
            /tmp/mokoplatform 2>/dev/null || true

      # ── Step 1: Read version from manifest ────────────────────
@@ -133,7 +133,7 @@ jobs:
          NAME="${{ steps.version.outputs.name }}"
          ZIP_PATH="${{ steps.build.outputs.zip_path }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          CLI="/tmp/mokoplatform/cli/release_manage.php"

          # Extract release notes via CLI
@@ -185,7 +185,7 @@ jobs:
            --branches main,dev \
            --current "$(git branch --show-current)" \
            --version "$VERSION" \
-            --token "${{ secrets.GA_TOKEN }}"
+            --token "${{ secrets.MOKOGITEA_TOKEN }}"

      # ── Step 5: Bump version on dev branch ─────────────────────
      - name: Bump dev version
@@ -195,7 +195,7 @@ jobs:
            --path . \
            --branch dev \
            --bump minor \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
            --api-base "${GITEA_URL}/api/v1/repos/${{ github.repository }}"

      # ── Summary ───────────────────────────────────────────────
@@ -34,12 +34,12 @@ jobs:
      - name: Setup mokoplatform
        run: |
          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
+            "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
            /tmp/mokoplatform 2>/dev/null || true

      - name: Run health check
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          # Get update URL from manifest, use API with auth for private repos
          UPDATE_URL=$(grep -m1 '<server' source/templateDetails.xml 2>/dev/null | sed 's/.*>\(http[^<]*\)<.*/\1/' || echo "")
@@ -28,7 +28,7 @@ jobs:
    steps:
      - name: Create branch and comment
        run: |
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"
@@ -37,7 +37,7 @@ jobs:
      - name: Setup mokoplatform
        run: |
          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
+            "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
            /tmp/mokoplatform 2>/dev/null || true

      - name: Check compatibility
@@ -36,7 +36,7 @@ jobs:
      - name: Setup mokoplatform
        run: |
          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
+            "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
            /tmp/mokoplatform 2>/dev/null || true

      - name: Read version
@@ -51,7 +51,7 @@ jobs:
        continue-on-error: true
        run: |
          php /tmp/mokoplatform/cli/release_validate.php \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
            --version "${{ steps.version.outputs.version }}" \
            --streams stable,rc,beta,alpha,development
@@ -35,7 +35,7 @@ jobs:
      - name: Setup mokoplatform
        run: |
          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
+            "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
            /tmp/mokoplatform 2>/dev/null || true

      - name: Lint theme
@@ -57,7 +57,7 @@ jobs:
      - name: Determine target repos
        id: repos
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"

@@ -105,7 +105,7 @@ jobs:

      - name: Apply protection rules
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
@@ -55,7 +55,7 @@ jobs:

      - name: Clone MokoStandards
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -63,7 +63,7 @@ jobs:

      - name: Install dependencies
        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install \
@@ -281,7 +281,7 @@ jobs:

      - name: Install dependencies
        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install \
@@ -33,11 +33,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Delete merged branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:

      - name: Clean old workflow runs
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,10 +66,10 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
@@ -66,10 +66,10 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
@@ -42,10 +42,10 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
@@ -28,7 +28,7 @@ jobs:
    steps:
      - name: Create branch and comment
        run: |
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"
@@ -149,7 +149,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: mokoconsulting-tech/mokodolimods
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ secrets.GH_PAT }}
          path: mokodolimods

      - name: Create release branch
@@ -207,7 +207,7 @@ jobs:
      - name: Create pull request on mokodolimods
        if: steps.commit.outputs.changed == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
        run: |
          MODULE="${{ steps.branch.outputs.module }}"
          TAG="${{ steps.branch.outputs.tag }}"
@@ -57,7 +57,7 @@ jobs:
      - name: Determine target repos
        id: repos
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"

@@ -105,7 +105,7 @@ jobs:

      - name: Apply protection rules
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
@@ -33,11 +33,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Delete merged branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:

      - name: Clean old workflow runs
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -42,10 +42,10 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
@@ -28,7 +28,7 @@ jobs:
    steps:
      - name: Create branch and comment
        run: |
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"
@@ -57,7 +57,7 @@ jobs:
      - name: Determine target repos
        id: repos
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"

@@ -105,7 +105,7 @@ jobs:

      - name: Apply protection rules
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
@@ -47,8 +47,8 @@ jobs:

      - name: Setup mokoplatform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
        run: |
          if [ -d "/tmp/mokoplatform" ] || [ -d "/opt/mokoplatform" ]; then
            echo "mokoplatform already available on runner — skipping clone"
@@ -60,7 +60,7 @@ jobs:

      - name: Install dependencies
        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || secrets.GA_TOKEN || github.token }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install \
@@ -370,7 +370,7 @@ jobs:

      - name: Install dependencies
        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || secrets.GA_TOKEN || github.token }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install \
@@ -420,7 +420,7 @@ jobs:

      - name: Install dependencies
        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || secrets.GA_TOKEN || github.token }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-interaction --prefer-dist --optimize-autoloader
@@ -487,7 +487,7 @@ jobs:
    steps:
      - name: Trigger pre-release build
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          REPO: ${{ github.repository }}
          BRANCH: ${{ github.head_ref }}
        run: |
@@ -33,11 +33,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Delete merged branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:

      - name: Clean old workflow runs
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -28,7 +28,7 @@ jobs:
    steps:
      - name: Create branch and comment
        run: |
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"
@@ -57,7 +57,7 @@ jobs:
      - name: Determine target repos
        id: repos
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"

@@ -105,7 +105,7 @@ jobs:

      - name: Apply protection rules
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
@@ -32,7 +32,7 @@ jobs:
    steps:
      - name: Assign unassigned issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          ASSIGNEE="jmiller"
@@ -47,7 +47,7 @@ jobs:
    steps:
      - name: Create tracking issue and sub-issues
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          # For manual dispatch, use input; for auto, use event ref
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
@@ -33,11 +33,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}

      - name: Delete merged branches
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:

      - name: Clean old workflow runs
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -42,10 +42,10 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
@@ -28,7 +28,7 @@ jobs:
    steps:
      - name: Create branch and comment
        run: |
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"
@@ -38,7 +38,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
      # ── Version ──────────────────────────────────────────────────────
      - name: Setup mokoplatform tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/MokoConsulting/mokoplatform.git" \
@@ -212,7 +212,7 @@ jobs:
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.tag_exists != 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -67,12 +67,12 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Check actor permission
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          ACTOR="${{ github.actor }}"
          # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
      - name: Reset labels to standard set
        if: steps.tasks.outputs.reset_labels == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
      - name: Delete old sync branches
        if: steps.tasks.outputs.clean_branches == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
      - name: Clean up workflow runs
        if: steps.tasks.outputs.clean_workflows == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
      - name: Delete old workflow run logs
        if: steps.tasks.outputs.clean_logs == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
      - name: Delete old closed issues
        if: steps.tasks.outputs.delete_closed_issues == 'true'
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -506,8 +506,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -1970,8 +1970,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2042,8 +2042,8 @@ jobs:

      - name: Install API Package
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2537,7 +2537,7 @@ jobs:
      - name: Create or reopen tracking issue for standards violations
        if: failure()
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
        run: |
          REPO="${{ github.repository }}"
          RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"
@@ -44,7 +44,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
          fetch-depth: 0

      - name: Set up PHP
@@ -55,8 +55,8 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
        run: |
          git clone --depth 1 --branch version/04 --quiet \
            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -106,7 +106,7 @@ jobs:
            --create-issue \
            --repo "${{ github.repository }}"
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}

      - name: Commit updated files
        if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}