diff --git a/app/git.js b/app/git.js
index 143e848..fe11ac5 100644
--- a/app/git.js
+++ b/app/git.js
@@ -21,11 +21,12 @@ export async function commitAndPush(workspace, _spawnSync = spawnSync) {
   const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
   const repoDir = path.join(workspace, 'repo');
 
-  // Write a temporary askpass script so the token never appears in the URL or process list
+  // Write a temporary askpass script that reads the token from an env var,
+  // so the token value never appears in the script file itself
   const askpassScript = path.join(workspace, '.git-askpass.sh');
-  fs.writeFileSync(askpassScript, `#!/bin/sh\necho "${GITEA_TOKEN}"\n`, { mode: 0o700 });
+  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
 
-  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token' };
+  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
 
   try {
     if (!fs.existsSync(repoDir)) {