diff --git a/.gitea/workflows/builder-image.yml b/.gitea/workflows/builder-image.yml
index 9b0eaeb..d72a3d7 100644
--- a/.gitea/workflows/builder-image.yml
+++ b/.gitea/workflows/builder-image.yml
@@ -38,7 +38,7 @@ jobs:
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ gitea.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.PACKAGE_TOKEN }}
 
       - name: Set up Buildx
         uses: docker/setup-buildx-action@v3
diff --git a/README.md b/README.md
index 21bf9ae..cf75522 100644
--- a/README.md
+++ b/README.md
@@ -66,7 +66,7 @@ jobs:
       image: git.helu.ca/r/android:2026.06
       credentials:
         username: ${{ gitea.actor }}
-        password: ${{ secrets.GITEA_TOKEN }}
+        password: ${{ secrets.PACKAGE_TOKEN }}
 ```
 
 The build task is selectable: `assembleRelease` (APK, the default) or
@@ -83,9 +83,10 @@ Signing happens at job time; nothing sensitive lives in the repo or the image.
 | `KEY_ALIAS`         | signing key alias |
 | `KEY_PASSWORD`      | key password |
 
-`GITEA_TOKEN` needs `write:package` here (to push) and `read:package` in app
-repos (to pull). The built-in token usually covers this; if your instance
-scopes it tightly, use a PAT.
+`PACKAGE_TOKEN` (a PAT, the same secret the other repos here use) needs
+`write:package` in this repo (to push the image) and `read:package` in app
+repos (to pull it). Set it as a repo or org-level Actions secret. The
+built-in `gitea.token` is not used because it isn't scoped for the registry.
 
 ## First-run sequencing
 
diff --git a/templates/build.yml b/templates/build.yml
index e5bef63..5d9a208 100644
--- a/templates/build.yml
+++ b/templates/build.yml
@@ -29,7 +29,7 @@ jobs:
       image: git.helu.ca/r/android:2026.06
       credentials:
         username: ${{ gitea.actor }}
-        password: ${{ secrets.GITEA_TOKEN }}
+        password: ${{ secrets.PACKAGE_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4