ci: reuse existing REGISTRY_TOKEN secret for package publish

The repo already has a write:package REGISTRY_TOKEN secret (used by docker.yml).
Reuse it for uv publish instead of requiring new GITEA_PACKAGE_* secrets:
authenticate as GITHUB_ACTOR with the token as password. Update packaging docs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/packaging.md

@@ -66,15 +66,16 @@ first, builds with `uv`, and publishes to the Gitea PyPI registry.
 
 ### Required CI secrets
 
-The publish job uses Gitea Actions secrets — never hardcode credentials:
+The publish job reuses the **existing** `REGISTRY_TOKEN` Actions secret — the same
+PAT (`write:package`) that `docker.yml` uses to push images — so no new secret is
+needed. The token authenticates as its owning Gitea user, so `GITHUB_ACTOR` is the
+username and the token is the password.
 
 | Secret | Purpose |
 |--------|---------|
-| `GITEA_PACKAGE_USER` | Gitea username that owns the package |
-| `GITEA_PACKAGE_TOKEN` | least-privilege PAT with `write:package` |
+| `REGISTRY_TOKEN` | PAT with `write:package`; used for both image and package pushes |
 
-If either secret is absent the job fails loudly rather than publishing
-anonymously.
+If the secret is absent the job fails loudly rather than publishing anonymously.
 
 > Publishing to public PyPI is intentionally **not** configured. A second,
 > separately-gated `uv publish` step would be required and is left as a