diff --git a/.woodpecker/ci.yml b/.woodpecker/ci.yml
index 08ae24d..fc2f12a 100644
--- a/.woodpecker/ci.yml
+++ b/.woodpecker/ci.yml
@@ -8,6 +8,19 @@
 when:
   event: [push, pull_request]
 
+# Override default clone to authenticate against Forgejo using FORGE_TOKEN.
+# Required because Forgejo is configured with REQUIRE_SIGN_IN, so anonymous
+# git clones fail with exit code 128. FORGE_TOKEN is injected globally via
+# WOODPECKER_ENVIRONMENT in docker-compose.yml (generated by lib/generators.sh).
+clone:
+  git:
+    image: alpine/git
+    commands:
+      - AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|")
+      - git clone --depth 1 "$AUTH_URL" .
+      - git fetch --depth 1 origin "$CI_COMMIT_REF"
+      - git checkout FETCH_HEAD
+
 steps:
   - name: shellcheck
     image: koalaman/shellcheck-alpine:stable
diff --git a/lib/generators.sh b/lib/generators.sh
index 753de2e..20369a0 100644
--- a/lib/generators.sh
+++ b/lib/generators.sh
@@ -79,6 +79,7 @@ services:
       WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
       WOODPECKER_DATABASE_DRIVER: sqlite3
       WOODPECKER_DATABASE_DATASOURCE: /var/lib/woodpecker/woodpecker.sqlite
+      WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}"
     depends_on:
       - forgejo
     networks: