From f3a76c93be0c68fb0f2512d37cc61bec2e1bf27f Mon Sep 17 00:00:00 2001
From: Moko Consulting <hello@mokoconsulting.tech>
Date: Thu, 28 May 2026 14:24:11 -0500
Subject: [PATCH] refactor(workflows): rename secrets
 MOKOGITEA_TOKEN/GITHUB_TOKEN, use x-access-token [skip bump]

---
 .mokogitea/workflows/auto-bump.yml     |  6 +--
 .mokogitea/workflows/auto-release.yml  | 61 +++++++++++++-------------
 .mokogitea/workflows/cascade-dev.yml   | 20 ++++-----
 .mokogitea/workflows/cleanup.yml       | 18 ++++----
 .mokogitea/workflows/pr-check.yml      | 26 +++++++++--
 .mokogitea/workflows/pre-release.yml   | 12 ++---
 .mokogitea/workflows/update-server.yml | 25 ++++++-----
 7 files changed, 94 insertions(+), 74 deletions(-)

diff --git a/.mokogitea/workflows/auto-bump.yml b/.mokogitea/workflows/auto-bump.yml
index 4d0ffc0..572facd 100644
--- a/.mokogitea/workflows/auto-bump.yml
+++ b/.mokogitea/workflows/auto-bump.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 1
 
       - name: Setup moko-platform tools
@@ -49,7 +49,7 @@ jobs:
             echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
           else
             git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
+              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
               /tmp/moko-platform-api
             cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
             echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
@@ -77,7 +77,7 @@ jobs:
 
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git commit -m "chore(version): auto-bump patch ${VERSION} [skip ci]" \
             --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
diff --git a/.mokogitea/workflows/auto-release.yml b/.mokogitea/workflows/auto-release.yml
index 8cdf410..8be9b71 100644
--- a/.mokogitea/workflows/auto-release.yml
+++ b/.mokogitea/workflows/auto-release.yml
@@ -63,12 +63,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 1
 
       - name: Setup moko-platform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
           if ! command -v composer &> /dev/null; then
@@ -85,7 +85,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_promote.php \
             --from auto --to release-candidate \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}" \
             --branch "${{ github.event.pull_request.head.ref || 'dev' }}"
 
@@ -95,7 +95,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_cascade.php \
             --stability release-candidate \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}"
 
       - name: Summary
@@ -116,14 +116,20 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 0
 
+      - name: Configure git for bot pushes
+        run: |
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+
       - name: Setup moko-platform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GITHUB_TOKEN }}"}}'
         run: |
           # Ensure PHP + Composer are available
           if ! command -v composer &> /dev/null; then
@@ -169,7 +175,7 @@ jobs:
         if: steps.version.outputs.skip != 'true'
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          RC_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RC_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/release-candidate" 2>/dev/null || echo "{}")
           RC_ID=$(echo "$RC_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
 
@@ -285,10 +291,6 @@ jobs:
             exit 0
           fi
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git commit -m "chore(release): build ${VERSION} [skip ci]" \
             --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
@@ -320,7 +322,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_promote.php \
             --from release-candidate --to stable \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}" \
             --path . --branch main
           echo "Promoted RC → stable (${VERSION})" >> $GITHUB_STEP_SUMMARY
@@ -336,7 +338,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_create.php \
             --path . --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --branch main
           echo "Release created: ${VERSION}" >> $GITHUB_STEP_SUMMARY
 
@@ -352,7 +354,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_package.php \
             --path . --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --output /tmp || true
 
       # -- STEP 5: Write update stream (after build so SHA-256 is available) -----
@@ -363,9 +365,9 @@ jobs:
           SHA256="${{ steps.package.outputs.sha256_zip }}"
 
           # Fetch latest updates.xml from main so preserve logic has all channels
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-          curl -sf -H "Authorization: token ${GA_TOKEN}" \
+          curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
             "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
             python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
             > updates.xml 2>/dev/null || true
@@ -380,9 +382,6 @@ jobs:
 
           # Commit updates.xml if changed
           if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
             git add updates.xml
             git commit -m "chore: update stable channel ${VERSION} [skip ci]" \
               --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
@@ -398,7 +397,7 @@ jobs:
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
           php /tmp/moko-platform-api/cli/release_body_update.php \
             --path . --version "${VERSION}" --tag "${RELEASE_TAG}" \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
             2>&1 || true
           echo "Release body updated" >> $GITHUB_STEP_SUMMARY
@@ -407,7 +406,7 @@ jobs:
       - name: "Step 9: Mirror release to GitHub"
         if: >-
           steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GITHUB_TOKEN != ''
         continue-on-error: true
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
@@ -416,8 +415,8 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_mirror.php \
             --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
-            --gh-token "${{ secrets.GH_TOKEN }}" --gh-repo "$GH_REPO" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
+            --gh-token "${{ secrets.GITHUB_TOKEN }}" --gh-repo "$GH_REPO" \
             --branch main 2>&1 || true
           echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
 
@@ -425,14 +424,14 @@ jobs:
       - name: "Step 10: Push main to GitHub mirror"
         if: >-
           steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GITHUB_TOKEN != ''
         continue-on-error: true
         run: |
           GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
           GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
           GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git remote add github "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
           git fetch origin main --depth=1
           git push github origin/main:refs/heads/main --force 2>/dev/null \
             && echo "main branch pushed to GitHub mirror" \
@@ -448,7 +447,7 @@ jobs:
           php /tmp/moko-platform-api/cli/release_cascade.php \
             --stability stable \
             --version "${VERSION}" \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}" 2>/dev/null || true
 
       - name: "Step 11: Delete and recreate dev branch from main"
@@ -456,7 +455,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           # Delete dev branch
           curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -475,7 +474,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
           BRANCH_NAME="version/${VERSION}"
           MAIN_SHA=$(git rev-parse HEAD)
@@ -497,7 +496,7 @@ jobs:
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/version_reset_dev.php \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "${API_BASE}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
             --branch dev --path . 2>&1 || true
 
       # -- Summary --------------------------------------------------------------
diff --git a/.mokogitea/workflows/cascade-dev.yml b/.mokogitea/workflows/cascade-dev.yml
index 4dbb135..f7f0b3c 100644
--- a/.mokogitea/workflows/cascade-dev.yml
+++ b/.mokogitea/workflows/cascade-dev.yml
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Maintenance
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# INGROUP: moko-platform.Maintenance
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/cascade-dev.yml.template
 # VERSION: 02.00.00
 # BRIEF: Forward-merge main → all open branches after every push to main
@@ -52,7 +52,7 @@ jobs:
       - name: Discover target branches
         id: branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
@@ -61,7 +61,7 @@ jobs:
           ALL_BRANCHES=""
           while true; do
             BATCH=$(curl -sS \
-              -H "Authorization: token ${GA_TOKEN}" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
               "${API}/branches?page=${PAGE}&limit=50" \
               | jq -r '.[].name // empty')
             [ -z "$BATCH" ] && break
@@ -93,7 +93,7 @@ jobs:
       - name: Cascade to all target branches
         if: steps.branches.outputs.targets != ''
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           SHORT_SHA="${GITHUB_SHA:0:7}"
@@ -111,7 +111,7 @@ jobs:
             # Check if branch is already up to date
             ENCODED_BRANCH=$(echo "$BRANCH" | sed 's|/|%2F|g')
             RESPONSE=$(curl -sS \
-              -H "Authorization: token ${GA_TOKEN}" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
               "${API}/compare/${ENCODED_BRANCH}...main")
 
             AHEAD=$(echo "$RESPONSE" | jq '.total_commits // 0')
@@ -126,7 +126,7 @@ jobs:
 
             # Check for existing cascade PR
             EXISTING=$(curl -sS \
-              -H "Authorization: token ${GA_TOKEN}" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
               "${API}/pulls?state=open&head=${GITEA_ORG}:main&base=${ENCODED_BRANCH}&limit=1")
 
             EXISTING_COUNT=$(echo "$EXISTING" | jq 'length')
@@ -139,7 +139,7 @@ jobs:
               # Create cascade PR
               PR_RESPONSE=$(curl -sS -w "\n%{http_code}" \
                 -X POST \
-                -H "Authorization: token ${GA_TOKEN}" \
+                -H "Authorization: token ${GITEA_TOKEN}" \
                 -H "Content-Type: application/json" \
                 -d "{
                   \"title\": \"chore: cascade main → ${BRANCH} (${SHORT_SHA}) [skip ci]\",
@@ -165,7 +165,7 @@ jobs:
 
             # Try auto-merge
             PR_DATA=$(curl -sS \
-              -H "Authorization: token ${GA_TOKEN}" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
               "${API}/pulls/${PR_NUMBER}")
 
             MERGEABLE=$(echo "$PR_DATA" | jq -r '.mergeable // false')
@@ -178,7 +178,7 @@ jobs:
 
             MERGE_RESPONSE=$(curl -sS -w "\n%{http_code}" \
               -X POST \
-              -H "Authorization: token ${GA_TOKEN}" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
               -H "Content-Type: application/json" \
               -d "{
                 \"Do\": \"merge\",
diff --git a/.mokogitea/workflows/cleanup.yml b/.mokogitea/workflows/cleanup.yml
index 3a81856..29ca4d4 100644
--- a/.mokogitea/workflows/cleanup.yml
+++ b/.mokogitea/workflows/cleanup.yml
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Maintenance
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# INGROUP: moko-platform.Maintenance
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.gitea/workflows/cleanup.yml
 # VERSION: 01.00.00
 # BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
@@ -33,17 +33,17 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Delete merged branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           echo "=== Merged Branch Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
 
           # List branches via API
-          BRANCHES=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
+          BRANCHES=$(curl -sS -H "Authorization: token ${GITEA_TOKEN}" \
             "${API}/branches?limit=50" | jq -r '.[].name')
 
           DELETED=0
@@ -56,7 +56,7 @@ jobs:
             # Check if branch is merged into main
             if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
               echo "  Deleting merged branch: ${BRANCH}"
-              curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+              curl -sS -X DELETE -H "Authorization: token ${GITEA_TOKEN}" \
                 "${API}/branches/${BRANCH}" 2>/dev/null || true
               DELETED=$((DELETED + 1))
             fi
@@ -66,20 +66,20 @@ jobs:
 
       - name: Clean old workflow runs
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           echo "=== Workflow Run Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
           CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
 
           # Get old completed runs
-          RUNS=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
+          RUNS=$(curl -sS -H "Authorization: token ${GITEA_TOKEN}" \
             "${API}/actions/runs?status=completed&limit=50" | \
             jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
 
           DELETED=0
           for RUN_ID in $RUNS; do
-            curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+            curl -sS -X DELETE -H "Authorization: token ${GITEA_TOKEN}" \
               "${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
             DELETED=$((DELETED + 1))
           done
diff --git a/.mokogitea/workflows/pr-check.yml b/.mokogitea/workflows/pr-check.yml
index 014f6b0..df06523 100644
--- a/.mokogitea/workflows/pr-check.yml
+++ b/.mokogitea/workflows/pr-check.yml
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.CI
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# INGROUP: moko-platform.CI
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/universal/pr-check.yml.template
 # VERSION: 05.00.00
 # BRIEF: PR gate — branch policy + code validation before merge
@@ -108,7 +108,9 @@ jobs:
       - name: Detect platform
         id: platform
         run: |
-          PLATFORM=$(cat .mokogitea/.moko-platform 2>/dev/null | tr -d '[:space:]')
+          # Read platform from XML manifest (<platform> tag) or plain text fallback
+          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
+          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
           [ -z "$PLATFORM" ] && PLATFORM="generic"
           echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
 
@@ -192,3 +194,21 @@ jobs:
           FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
           echo "Source: ${FILE_COUNT} files"
           [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
+
+  # ── Pre-Release RC Build ─────────────────────────────────────────────────
+  pre-release:
+    name: Build RC Package
+    runs-on: ubuntu-latest
+    needs: [branch-policy, validate]
+
+    steps:
+      - name: Trigger RC pre-release
+        env:
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          REPO: ${{ github.repository }}
+          BRANCH: ${{ github.head_ref }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+        run: |
+          curl -s -X POST             "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GITEA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
+          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
+          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
diff --git a/.mokogitea/workflows/pre-release.yml b/.mokogitea/workflows/pre-release.yml
index edbe60e..7920f53 100644
--- a/.mokogitea/workflows/pre-release.yml
+++ b/.mokogitea/workflows/pre-release.yml
@@ -50,11 +50,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Setup moko-platform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
           if ! command -v composer &> /dev/null; then
@@ -104,7 +104,7 @@ jobs:
           # Commit version bump
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git diff --cached --quiet || {
             git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
@@ -139,7 +139,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php ${MOKO_CLI}/release_create.php \
             --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --branch dev --prerelease
 
       - name: Build package and upload
@@ -150,7 +150,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php ${MOKO_CLI}/release_package.php \
             --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --output /tmp || true
 
       - name: Update updates.xml
@@ -207,7 +207,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           php ${MOKO_CLI}/release_cascade.php \
             --stability "${{ steps.meta.outputs.stability }}" \
diff --git a/.mokogitea/workflows/update-server.yml b/.mokogitea/workflows/update-server.yml
index b99a5f2..cd2eff0 100644
--- a/.mokogitea/workflows/update-server.yml
+++ b/.mokogitea/workflows/update-server.yml
@@ -73,14 +73,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 0
 
       - name: Setup moko-platform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
+          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
         run: |
           if ! command -v composer &> /dev/null; then
             sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
@@ -106,9 +106,12 @@ jobs:
         run: |
           BRANCH="${{ github.ref_name }}"
 
-          # Auto-bump patch version
+          # Configure git for bot pushes
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+
+          # Auto-bump patch version
           php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
 
           VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
@@ -169,13 +172,13 @@ jobs:
           # Create or update Gitea release
           php ${MOKO_CLI}/release_create.php \
             --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
 
           # Build package and upload
           php ${MOKO_CLI}/release_package.php \
             --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --output /tmp || true
 
       - name: Update updates.xml
@@ -199,8 +202,6 @@ jobs:
             ${SHA_FLAG}
 
           # Commit and push updates.xml
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
           git add updates.xml
           git diff --cached --quiet || {
             git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
@@ -211,9 +212,9 @@ jobs:
         if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
             "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
 
           if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
@@ -231,7 +232,7 @@ jobs:
               '${API_BASE}/contents/updates.xml',
               data=payload, method='PUT',
               headers={
-                  'Authorization': 'token ${GA_TOKEN}',
+                  'Authorization': 'token ${GITEA_TOKEN}',
                   'Content-Type': 'application/json'
               })
           try:
@@ -257,7 +258,7 @@ jobs:
           ACTOR="${{ github.actor }}"
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
             python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
           case "$PERMISSION" in