diff --git a/.gitea/workflows/auto-tag.yml b/.gitea/workflows/auto-tag.yml
index 5979c2a8..d6f09447 100644
--- a/.gitea/workflows/auto-tag.yml
+++ b/.gitea/workflows/auto-tag.yml
@@ -134,15 +134,44 @@ jobs:
         env:
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
-          set -eu
-          git add CHANGELOG.md
-          if git diff --staged --quiet; then
-            echo "No changelog changes"
-          else
-            TAG=$(git describe --tags --abbrev=0)
-            git commit -m "chore: update CHANGELOG.md for ${TAG} [skip ci]"
-            git push origin HEAD:master
+          set -euo pipefail
+          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
+          TAG=$(git describe --tags --abbrev=0)
+          # Validate tag format to prevent shell injection in commit message / JSON
+          if ! echo "$TAG" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "ERROR: Unexpected tag format: $TAG"
+            exit 1
           fi
+          # Fetch current blob SHA from master; empty if file doesn't exist yet
+          CURRENT_SHA=$(curl -sf \
+            -H "Accept: application/json" \
+            -H "Authorization: token $RELEASE_TOKEN" \
+            "$API/contents/CHANGELOG.md?ref=master" 2>/dev/null \
+            | jq -r '.sha // empty' 2>/dev/null || true)
+          # Base64-encode content (no line wrapping)
+          CONTENT=$(base64 -w 0 CHANGELOG.md)
+          # Build JSON payload — omit "sha" when file doesn't exist yet (new repo)
+          PAYLOAD=$(jq -n \
+            --arg msg  "chore: update CHANGELOG.md for ${TAG} [skip ci]" \
+            --arg body "$CONTENT" \
+            --arg sha  "$CURRENT_SHA" \
+            'if $sha == ""
+             then {message: $msg, content: $body, branch: "master"}
+             else {message: $msg, content: $body, sha: $sha, branch: "master"}
+             end')
+          # PUT atomically updates (or creates) the file on master — no fast-forward needed
+          RESP_FILE=$(mktemp)
+          HTTP_CODE=$(curl -s -o "$RESP_FILE" -w "%{http_code}" -X PUT \
+            -H "Authorization: token $RELEASE_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD" \
+            "$API/contents/CHANGELOG.md")
+          if [ "$HTTP_CODE" -lt 200 ] || [ "$HTTP_CODE" -ge 300 ]; then
+            echo "ERROR: Failed to update CHANGELOG.md (HTTP $HTTP_CODE)"
+            cat "$RESP_FILE" >&2
+            exit 1
+          fi
+          echo "✓ CHANGELOG.md committed to master"
 
       - name: Upload CHANGELOG.md as release asset
         env: