diff --git a/.github/workflows/versioning.yaml b/.github/workflows/versioning.yaml
index e08152889..d84e7ae3c 100644
--- a/.github/workflows/versioning.yaml
+++ b/.github/workflows/versioning.yaml
@@ -1,4 +1,6 @@
 # Workflow that runs on versioning metadata updates.
+# Uses GITHUB_TOKEN (not a personal PAT) for same-repo operations.
+# Cross-repo API updates require POLICYENGINE_GITHUB secret (org-level PAT).
 
 name: Versioning updates
 on:
@@ -11,16 +13,20 @@ on:
       - pyproject.toml
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   Versioning:
     runs-on: ubuntu-latest
     if: |
       (!(github.event.head_commit.message == 'Update package version'))
+    outputs:
+      committed: ${{ steps.commit.outputs.committed }}
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.POLICYENGINE_GITHUB }}
           fetch-depth: 0
       - name: Install uv
         uses: astral-sh/setup-uv@v5
@@ -35,18 +41,20 @@ jobs:
           python .github/bump_version.py
           towncrier build --yes --version $(python -c "import re; print(re.search(r'version = \"(.+?)\"', open('pyproject.toml').read()).group(1))")
       - name: Update changelog
+        id: commit
         uses: EndBug/add-and-commit@v9
         with:
           add: "."
           message: Update package version
   Publish:
     runs-on: ubuntu-latest
-    if: (github.event.head_commit.message == 'Update package version')
-    env:
-      GH_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
+    needs: Versioning
+    if: needs.Versioning.outputs.committed == 'true'
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
+        with:
+          ref: main
       - name: Install uv
         uses: astral-sh/setup-uv@v5
 
@@ -71,6 +79,7 @@ jobs:
           password: ${{ secrets.PYPI }}
           skip_existing: true
       - name: Update API
+        if: ${{ secrets.POLICYENGINE_GITHUB != '' }}
         run: python .github/update_api.py
         env:
-          GITHUB_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
diff --git a/changelog.d/fix-versioning-workflow.changed.md b/changelog.d/fix-versioning-workflow.changed.md
new file mode 100644
index 000000000..e5c5351cd
--- /dev/null
+++ b/changelog.d/fix-versioning-workflow.changed.md
@@ -0,0 +1 @@
+Replaced personal PAT with `GITHUB_TOKEN` in versioning workflow. Publish now runs as a sequential job instead of requiring a re-triggered workflow, removing the dependency on a personal access token for same-repo operations.
\ No newline at end of file