diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml
index 1c66dab..4bb9352 100644
--- a/.github/workflows/plugin-release.yaml
+++ b/.github/workflows/plugin-release.yaml
@@ -183,7 +183,7 @@ jobs:
 
       - name: Configure Git
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
         run: |
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
@@ -215,7 +215,7 @@ jobs:
       - name: Update appVersion from upstream release
         if: inputs.upstream-repo != ''
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
         run: |
           APP_VERSION=$(curl -sf \
             -H "Authorization: token ${GITEA_TOKEN}" \
@@ -290,7 +290,7 @@ jobs:
 
       - name: Commit and tag
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
         run: |
           VERSION="${{ inputs.version }}"
           BRANCH="release/v${VERSION}"
@@ -307,7 +307,7 @@ jobs:
 
       - name: Create Gitea Release
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           VERSION="${{ inputs.version }}"
@@ -340,7 +340,7 @@ jobs:
 
       - name: Create PR for version bump
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           set -o pipefail
@@ -398,7 +398,7 @@ jobs:
 
       - name: Verify checksums are consistent (main == tag == tarball)
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
           REPO: ${{ github.repository }}
         run: |
           VERSION="${{ inputs.version }}"
diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml
index 739c160..61a7934 100644
--- a/.github/workflows/pr-validation.yaml
+++ b/.github/workflows/pr-validation.yaml
@@ -11,10 +11,13 @@ jobs:
 
     steps:
       - name: Checkout
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+          BASE_REF: ${{ github.base_ref }}
         run: |
           git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "${{ github.base_ref }}" --depth=1
-          git fetch origin "${{ github.head_ref }}" --depth=1
+          git fetch origin "$BASE_REF" --depth=1
+          git fetch origin "$HEAD_REF" --depth=1
           git checkout "${{ github.sha }}"
 
       - name: Install actionlint