diff --git a/.github/SETTINGS.md b/.github/SETTINGS.md
index 31cf377..17c9d9d 100644
--- a/.github/SETTINGS.md
+++ b/.github/SETTINGS.md
@@ -99,6 +99,26 @@ appear. Then continue below.
 
 ## Secrets (when needed) — Secrets and variables → Actions
 
+- [ ] `RELEASE_PLEASE_TOKEN` **(required for automated releases)**:
+  - Without this, release-please falls back to `GITHUB_TOKEN`.
+    GitHub's anti-recursion rule then suppresses every downstream
+    workflow triggered by release-please: the release PR's CI
+    doesn't run, and the tag it creates on merge doesn't fire
+    `release.yml`. Result: the release PR looks blocked forever
+    and goreleaser never publishes the release artifacts
+    automatically.
+  - Generate a fine-grained PAT at
+    <https://github.com/settings/personal-access-tokens/new>:
+    - Resource owner: your account.
+    - Repository access: **Only select repositories** → this repo only.
+    - Repository permissions:
+      - **Contents**: Read and write
+      - **Pull requests**: Read and write
+      - **Workflows**: Read and write (release-please updates workflow
+        files if you ever add `extra-files` that include `.github/**`)
+    - Expiration: ≤ 1 year (fine-grained PATs cannot be infinite).
+  - Paste into repo secret named exactly `RELEASE_PLEASE_TOKEN`.
+
 - [ ] `HOMEBREW_TAP_GITHUB_TOKEN` *(optional, add when ready to
       publish Homebrew)*:
   - Use your existing `amiwrpremium/homebrew-tap` repo (a single
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 7194698..d504089 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -20,7 +20,20 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      # token: RELEASE_PLEASE_TOKEN (a PAT) — not the default GITHUB_TOKEN.
+      # GitHub's anti-recursion rule suppresses downstream workflow triggers
+      # for any action that uses GITHUB_TOKEN. That means a release-please
+      # tag created via GITHUB_TOKEN does NOT fire release.yml on its tag
+      # push, and the release-please PR it opens does NOT fire ci.yml on
+      # `pull_request`. A PAT sidesteps both: the tag push and the PR
+      # creation look like real user events, so every downstream workflow
+      # fires normally.
+      #
+      # The PAT needs: Contents: Read+Write, Pull requests: Read+Write,
+      # Workflows: Read+Write (so release-please can update workflow
+      # files if needed). Scoped to this repo only. See SETTINGS.md.
       - uses: googleapis/release-please-action@v4
         with:
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json