diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index f3c3d0c..2708ca7 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -7,9 +7,6 @@ on:
 jobs:
   nyx-scan:
     runs-on: docker-amd64
-    permissions:
-      issues: write
-      pull-requests: write
 
     steps:
       - name: Checkout PR
@@ -43,7 +40,7 @@ jobs:
         continue-on-error: true
 
       - name: Post findings as PR comment
-        if: always()
+        if: steps.nyx.outcome == 'failure'
         run: |
           FINDINGS=$(python3 -c "
           import json, sys
@@ -53,28 +50,24 @@ jobs:
 
           results = data.get('runs', [{}])[0].get('results', [])
 
-          if not results:
-              body = '✅ NYX scan: no findings above threshold.'
-          else:
-              lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
-              for r in results:
-                  level = r.get('level', '?')
-                  msg = r.get('message', {}).get('text', '?')
-                  rule = r.get('ruleId', '?')
-                  loc = r.get('locations', [{}])[0].get('physicalLocation', {})
-                  path = loc.get('artifactLocation', {}).get('uri', '?')
-                  line = loc.get('region', {}).get('startLine', '?')
-                  col  = loc.get('region', {}).get('startColumn', '?')
-                  lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
-              body = '\n'.join(lines)
+          lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
+          for r in results:
+              level = r.get('level', '?')
+              msg = r.get('message', {}).get('text', '?')
+              rule = r.get('ruleId', '?')
+              loc = r.get('locations', [{}])[0].get('physicalLocation', {})
+              path = loc.get('artifactLocation', {}).get('uri', '?')
+              line = loc.get('region', {}).get('startLine', '?')
+              col  = loc.get('region', {}).get('startColumn', '?')
+              lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
 
-          print(body)
+          print('\n'.join(lines))
           ")
 
-          curl -s -X POST \
-            -H "Authorization: token ${{ github.token }}" \
+          curl -sf -X POST \
+            -H "Authorization: token ${{ secrets.FORGEJO_PUSH_TOKEN }}" \
             -H "Content-Type: application/json" \
-            "https://bitfreedom.net/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            "https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
             -d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
 
       - name: Fail if HIGH or above findings found