diff --git a/.github/workflows/release-server.yaml b/.github/workflows/release-server.yaml
index 395df0d7..00e82852 100644
--- a/.github/workflows/release-server.yaml
+++ b/.github/workflows/release-server.yaml
@@ -123,7 +123,7 @@ jobs:
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN || github.token }}
+          password: ${{ secrets.registry_token }}
 
       - name: docker metadata
         id: docker_meta
diff --git a/NOTES.md b/NOTES.md
index b6ad5f55..88c576ed 100644
--- a/NOTES.md
+++ b/NOTES.md
@@ -58,11 +58,11 @@ The old `main`/`canary` branches have the legacy stack that's harder to self-hos
 
 The workflow tries to use `secrets.GITEA_TOKEN` or `github.token` for registry auth.
 
-**If automatic token fails**, create a Gitea Personal Access Token:
+**Required**: Create a Gitea Personal Access Token:
 1. Go to Gitea Settings → Applications → Generate New Token
-2. Name: `CI_REGISTRY_TOKEN`
-3. Permissions: Select `package:write`
-4. Add to repository secrets as `GITEA_TOKEN`
+2. Name: `CI_Container_Registry`
+3. Permissions: Select `package` (write access)
+4. Add to repository secrets as `registry_token` (Note: Can't use GITEA_ or GITHUB_ prefix)
 
 **Alternative**: Update the workflow to use username/password:
 - Create a secret `REGISTRY_USERNAME` with your Gitea username