diff --git a/.github/workflows/detect-pr-pipeline.yaml b/.github/workflows/detect-pr-pipeline.yaml
index f64111d..1745db3 100644
--- a/.github/workflows/detect-pr-pipeline.yaml
+++ b/.github/workflows/detect-pr-pipeline.yaml
@@ -14,12 +14,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 2
 
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+
     steps:
       - name: Checkout
         run: |
           git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "${{ github.base_ref }}" --depth=1
-          git fetch origin "${{ github.head_ref }}" --depth=1
+          git fetch origin "$BASE_REF" --depth=1
+          git fetch origin +refs/pull/*/head:refs/pull/*/head --depth=1
           git checkout "${{ github.sha }}"
 
       - name: Run detection tests
@@ -29,6 +33,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
 
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+
     outputs:
       pipeline-type: ${{ steps.detect.outputs.pipeline-type }}
 
@@ -36,16 +44,16 @@ jobs:
       - name: Checkout
         run: |
           git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "${{ github.base_ref }}" --depth=1
-          git fetch origin "${{ github.head_ref }}" --depth=1
+          git fetch origin "$BASE_REF" --depth=1
+          git fetch origin +refs/pull/*/head:refs/pull/*/head --depth=1
           git checkout "${{ github.sha }}"
 
       - name: Get changed files
         run: |
           mkdir -p /tmp/pr-detect
-          git fetch origin "${{ github.base_ref }}" --depth=1 2>/dev/null
-          git fetch origin "${{ github.head_ref }}" --depth=1 2>/dev/null
-          git diff --name-only "origin/${{ github.base_ref }}" "${{ github.head_ref }}" > /tmp/pr-detect/changed_files.txt
+          git fetch origin "$BASE_REF" --depth=1 2>/dev/null
+          git fetch origin +refs/pull/*/head:refs/pull/*/head --depth=1 2>/dev/null
+          git diff --name-only "origin/$BASE_REF" HEAD > /tmp/pr-detect/changed_files.txt
           echo "Files found: $(wc -l < /tmp/pr-detect/changed_files.txt)"
           cat /tmp/pr-detect/changed_files.txt
 
@@ -59,6 +67,7 @@ jobs:
 
       - name: Set PR label
         if: github.event_name == 'pull_request'
+        continue-on-error: true
         env:
           GH_TOKEN: ${{ github.token }}
           REPO: ${{ github.repository }}
diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml
index aa2bd8d..4bb9352 100644
--- a/.github/workflows/plugin-release.yaml
+++ b/.github/workflows/plugin-release.yaml
@@ -39,7 +39,7 @@ jobs:
       - name: Verify GITEA_RELEASE_TOKEN is configured
         id: check
         env:
-          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
         run: |
           if [ -z "$GITEA_RELEASE_TOKEN" ]; then
             echo "::notice::GITEA_RELEASE_TOKEN org secret is not configured (see PRI-1533). Release skipped — no artifacts will be created."
@@ -65,7 +65,7 @@ jobs:
       - name: Check write permissions via API
         id: check
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
@@ -101,7 +101,7 @@ jobs:
       - name: Check if tag already exists
         id: check
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
@@ -183,7 +183,7 @@ jobs:
 
       - name: Configure Git
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
         run: |
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
@@ -215,7 +215,7 @@ jobs:
       - name: Update appVersion from upstream release
         if: inputs.upstream-repo != ''
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
         run: |
           APP_VERSION=$(curl -sf \
             -H "Authorization: token ${GITEA_TOKEN}" \
@@ -290,7 +290,7 @@ jobs:
 
       - name: Commit and tag
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
         run: |
           VERSION="${{ inputs.version }}"
           BRANCH="release/v${VERSION}"
@@ -307,7 +307,7 @@ jobs:
 
       - name: Create Gitea Release
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           VERSION="${{ inputs.version }}"
@@ -340,7 +340,7 @@ jobs:
 
       - name: Create PR for version bump
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           set -o pipefail
@@ -398,7 +398,7 @@ jobs:
 
       - name: Verify checksums are consistent (main == tag == tarball)
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           VERSION="${{ inputs.version }}"
diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml
index 73c2b7f..285c6cc 100644
--- a/.github/workflows/pr-validation.yaml
+++ b/.github/workflows/pr-validation.yaml
@@ -11,26 +11,34 @@ jobs:
 
     steps:
       - name: Checkout
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+          BASE_REF: ${{ github.base_ref }}
         run: |
           git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "${{ github.base_ref }}" --depth=1
-          git fetch origin "${{ github.head_ref }}" --depth=1
+          git fetch origin "$BASE_REF" --depth=1
+          git fetch origin +refs/pull/*/head:refs/pull/*/head --depth=1
           git checkout "${{ github.sha }}"
 
       - name: Install actionlint
         run: |
           ACTIONLINT_VERSION="1.7.7"
           mkdir -p "$HOME/.local/bin"
-          curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
+          apt-get install -y wget -qq >/dev/null 2>&1 || true
+          wget -qO- "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
             | tar -xz -C "$HOME/.local/bin" actionlint
           echo "$HOME/.local/bin" >> "$GITHUB_PATH"
 
       - name: Validate workflow YAML with actionlint
-        run: actionlint -color .github/workflows/*.yaml
+        run: actionlint -shellcheck="" -color .github/workflows/*.yaml
 
       - name: Install shellcheck
         run: |
-          sudo apt-get update -qq && sudo apt-get install -y -qq shellcheck >/dev/null 2>&1
+          SC_VERSION="v0.10.0"
+          mkdir -p "$HOME/.local/bin"
+          wget -qO- "https://github.com/koalaman/shellcheck/releases/download/${SC_VERSION}/shellcheck-${SC_VERSION}.linux.x86_64.tar.xz" \
+            | tar -xJ --strip-components=1 -C "$HOME/.local/bin" "shellcheck-${SC_VERSION}/shellcheck"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
 
       - name: Shellcheck scripts
         run: |