diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 80590b9..9c491a8 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -86,11 +86,20 @@ jobs:
         env:
           SERVER: ${{ github.server_url }}
           OWNER: ${{ github.repository_owner }}
+          ACTOR: ${{ github.actor }}
+          TOKEN: ${{ secrets.PUBLISH_TOKEN }}
         run: |
           set -euo pipefail
           apt-get update
           apt-get install -y --no-install-recommends \
             cmake make gcc libc6-dev dpkg-dev file ca-certificates curl
+          # The Gitea Debian registry is private: apt needs HTTP Basic Auth. [trusted=yes]
+          # only skips GPG verification, NOT authentication — hence the prior 401. The token
+          # is written to auth.conf.d (never echoed to the log).
+          install -d -m 0700 /etc/apt/auth.conf.d
+          printf 'machine %s login %s password %s\n' "${SERVER#*://}" "$ACTOR" "$TOKEN" \
+            > /etc/apt/auth.conf.d/gitea.conf
+          chmod 600 /etc/apt/auth.conf.d/gitea.conf
           echo "deb [trusted=yes] ${SERVER}/api/packages/${OWNER}/debian stable main" \
             > /etc/apt/sources.list.d/gitea.list
           apt-get update