diff --git a/.gitea/workflows/upstream-sync.yml b/.gitea/workflows/upstream-sync.yml
index 1fe9d1adfe..69d1d668d2 100644
--- a/.gitea/workflows/upstream-sync.yml
+++ b/.gitea/workflows/upstream-sync.yml
@@ -32,8 +32,10 @@ jobs:
           ref: main
           fetch-depth: 0
           lfs: false
-          # Built-in token Gitea hands us — scoped to this repo, has push.
-          token: ${{ secrets.GITEA_TOKEN }}
+          # Gitea's built-in GITEA_TOKEN is read-only by default.
+          # GIT_PUSH_TOKEN is a repo secret with a write-scoped PAT, so
+          # the subsequent `git push origin main` actually lands.
+          token: ${{ secrets.GIT_PUSH_TOKEN }}
 
       - name: Fetch upstream + wallet
         run: |
@@ -84,7 +86,11 @@ jobs:
           echo "wallet is $BEHIND commits behind main now; $NEW_ADDED new upstream commits this run"
 
       - name: Matrix notification (Infra room)
+        # Best-effort — if the target bot isn't in the room or Matrix is
+        # flapping, don't fail the whole run. The advance + push is the
+        # critical path; notify is a convenience ping.
         if: steps.ff.outputs.advanced == 'true'
+        continue-on-error: true
         env:
           MATRIX_TOKEN: ${{ secrets.MATRIX_HOUSE_BOT_TOKEN }}
         run: |