diff --git a/.github/workflows/detect-pr-pipeline.yaml b/.github/workflows/detect-pr-pipeline.yaml
index f64111d..7f004e8 100644
--- a/.github/workflows/detect-pr-pipeline.yaml
+++ b/.github/workflows/detect-pr-pipeline.yaml
@@ -14,12 +14,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 2
 
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+
     steps:
       - name: Checkout
         run: |
           git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "${{ github.base_ref }}" --depth=1
-          git fetch origin "${{ github.head_ref }}" --depth=1
+          git fetch origin "$BASE_REF" --depth=1
+          git fetch origin "$HEAD_REF" --depth=1
           git checkout "${{ github.sha }}"
 
       - name: Run detection tests
@@ -29,6 +33,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
 
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+
     outputs:
       pipeline-type: ${{ steps.detect.outputs.pipeline-type }}
 
@@ -36,16 +44,16 @@ jobs:
       - name: Checkout
         run: |
           git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "${{ github.base_ref }}" --depth=1
-          git fetch origin "${{ github.head_ref }}" --depth=1
+          git fetch origin "$BASE_REF" --depth=1
+          git fetch origin "$HEAD_REF" --depth=1
           git checkout "${{ github.sha }}"
 
       - name: Get changed files
         run: |
           mkdir -p /tmp/pr-detect
-          git fetch origin "${{ github.base_ref }}" --depth=1 2>/dev/null
-          git fetch origin "${{ github.head_ref }}" --depth=1 2>/dev/null
-          git diff --name-only "origin/${{ github.base_ref }}" "${{ github.head_ref }}" > /tmp/pr-detect/changed_files.txt
+          git fetch origin "$BASE_REF" --depth=1 2>/dev/null
+          git fetch origin "$HEAD_REF" --depth=1 2>/dev/null
+          git diff --name-only "origin/$BASE_REF" "origin/$HEAD_REF" > /tmp/pr-detect/changed_files.txt
           echo "Files found: $(wc -l < /tmp/pr-detect/changed_files.txt)"
           cat /tmp/pr-detect/changed_files.txt
 
diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml
index aa2bd8d..1c66dab 100644
--- a/.github/workflows/plugin-release.yaml
+++ b/.github/workflows/plugin-release.yaml
@@ -39,7 +39,7 @@ jobs:
       - name: Verify GITEA_RELEASE_TOKEN is configured
         id: check
         env:
-          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
         run: |
           if [ -z "$GITEA_RELEASE_TOKEN" ]; then
             echo "::notice::GITEA_RELEASE_TOKEN org secret is not configured (see PRI-1533). Release skipped — no artifacts will be created."
@@ -65,7 +65,7 @@ jobs:
       - name: Check write permissions via API
         id: check
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
@@ -101,7 +101,7 @@ jobs:
       - name: Check if tag already exists
         id: check
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \