Document Gitea token status checks

README.md

@@ -76,6 +76,21 @@ AUDIT_COMMAND
 
 If a placeholder does not apply, remove it instead of inventing fake information.
 
+## Gitea API Token
+
+When working with private repositories on `git.wilkensxl.de`, Codex agents may find a local `GITEA_TOKEN` environment variable on the machine.
+
+Use `GITEA_TOKEN` only for read-oriented Gitea API checks unless the user explicitly asks for a write action. Typical safe checks include repository metadata, workflow run status, and package-read visibility. Never print the token, commit it, or copy it into workflow files.
+
+Example status endpoint:
+
+```text
+GET https://git.wilkensxl.de/api/v1/repos/REPOSITORY_OWNER/REPOSITORY_NAME/actions/runs
+Authorization: token GITEA_TOKEN
+```
+
+`REGISTRY_TOKEN` is still the intended secret name for CI package publishing inside `.gitea/workflows/build.yml`.
+
 ## Agent Prompt For A New Repo
 
 ```text

agent-quickstart.md

@@ -49,6 +49,10 @@ Does the project have CI?
 Are commands unknown?
   yes -> document PENDING in .codex/project.md
   no  -> wire commands into AGENTS.md and CI
+
+Is this a private Gitea repo with Actions?
+  yes -> if GITEA_TOKEN is set locally, use it for read-only API checks of repository and workflow-run status
+  no  -> use public web/API checks when available
 ```
 
 ## Minimal File Set

existing-project.md

@@ -145,6 +145,7 @@ Before final response:
 
 - run `git diff --check`,
 - run the smallest reliable verification command,
+- if using Gitea Actions, check the pushed workflow run; for private `git.wilkensxl.de` repositories, use a locally set `GITEA_TOKEN` for read-only API status checks when available,
 - list files changed,
 - mention any skipped checks,
 - do not create a release unless explicitly requested.

files/AGENTS.md

@@ -11,6 +11,7 @@ PROJECT_NAME: PROJECT_DESCRIPTION
 - Do not commit secrets, `.env` files, private keys, certificates, or tokens.
 - Do not rewrite history or run destructive git commands unless explicitly requested.
 - Do not create a release unless explicitly requested.
+- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata, package-read visibility, and Actions run status. Never print, commit, or store the token.
 
 ## Commands
 
@@ -45,4 +46,5 @@ ARTIFACT_NAME
 - Treat generated credentials and config files as sensitive.
 - Keep external network calls documented.
 - Prefer local processing for user data.
+- Keep CI publishing secrets in repository or organization secrets, not in tracked files. `REGISTRY_TOKEN` is the default package publishing secret name for the Gitea workflow template.
 

new-repository.md

@@ -154,6 +154,7 @@ Before final response:
 - run formatting or validation if available,
 - run the cheapest reliable verification command,
 - check `git diff --check`,
+- if using Gitea Actions, check the pushed workflow run; for private `git.wilkensxl.de` repositories, use a locally set `GITEA_TOKEN` for read-only API status checks when available,
 - summarize changed files,
 - do not create a release unless explicitly requested.