diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 31a71ef..8c84c5e 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -48,17 +48,30 @@ jobs:
           REF: ${{ github.ref }}
           SHA: ${{ github.sha }}
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          USER_TOKEN: ${{ secrets.token }}
         run: |
           git config --global init.defaultBranch main
           if [ -f "$GITHUB_WORKSPACE/Dockerfile" ]; then exit 0; fi
           mkdir -p "$GITHUB_WORKSPACE"
           cd "$GITHUB_WORKSPACE"
           git init .
-          if [ -z "$TOKEN" ]; then
-            echo "Warning: GITHUB_TOKEN is not set. Attempting unauthenticated fetch (will fail for private repos)."
+          
+          # 优先使用 secrets.token (USER_TOKEN)，因为 secrets.GITHUB_TOKEN 在某些 Gitea 配置下可能权限受限
+          AUTH_TOKEN="$TOKEN"
+          if [ -n "$USER_TOKEN" ]; then
+            AUTH_TOKEN="$USER_TOKEN"
+            echo "Using secrets.token for authentication."
+          elif [ -n "$TOKEN" ]; then
+            echo "Using secrets.GITHUB_TOKEN for authentication."
+          else
+            echo "Warning: No token found. Attempting unauthenticated fetch (will fail for private repos)."
+          fi
+
+          if [ -z "$AUTH_TOKEN" ]; then
             git fetch --depth=1 "$SERVER/$REPO.git" "$REF"
           else
-            git -c http.extraHeader="Authorization: Bearer $TOKEN" fetch --depth=1 "$SERVER/$REPO.git" "$REF"
+            # 使用 Bearer Token 进行认证
+            git -c http.extraHeader="Authorization: Bearer $AUTH_TOKEN" fetch --depth=1 "$SERVER/$REPO.git" "$REF"
           fi
           git checkout FETCH_HEAD
       - name: Derive version