fix: Gitea Actions use haskelseed runner and PACKAGE_* secrets

ubuntu-latest never matched the self-hosted runner; Gitea also rejects
GITEA_-prefixed secret names. Wire publish workflow to PACKAGE_USER/TOKEN.

docs/PACKAGE_RELEASE.md

@@ -60,8 +60,11 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
 
 | Secret | Value |
 |--------|-------|
-| `GITEA_PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) |
-| `GITEA_PACKAGE_TOKEN` | Gitea API token with `write:package` scope |
+| `PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) |
+| `PACKAGE_TOKEN` | Gitea API token with `write:package` scope |
+
+Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
+(not `GITEA_PACKAGE_USER`).
 
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
@@ -79,7 +82,7 @@ Before `git tag vX.Y.Z && git push origin vX.Y.Z`:
 - [ ] `make release-check` passes (tests, flake8, version consistency, agent parity)
 - [ ] `make package-check` builds and validates `dist/*`
 - [ ] `CHANGELOG.md` has a dated `[X.Y.Z]` section matching `pyproject.toml`
-- [ ] `GITEA_PACKAGE_USER` and `GITEA_PACKAGE_TOKEN` secrets are set
+- [ ] `PACKAGE_USER` and `PACKAGE_TOKEN` secrets are set
 - [ ] Publish workflow smoke-tested via `workflow_dispatch` (or prior tag release)
 - [ ] `make agents-sync-package` run if `agents/` changed since last release