Pass token via FORGEJO_TOKEN env var, not CLI argument

Avoids exposing the token in process listings. Resolution order:
--token flag > FORGEJO_TOKEN env > 1Password op read.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.forgejo/workflows/branch-cleanup.yaml

@@ -30,12 +30,11 @@ jobs:
 
       - name: Run branch cleanup
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           CUTOFF="${{ inputs.cutoff || '30' }}"
           echo "Running branch cleanup with cutoff=${CUTOFF} days..."
           uv run --script mise-tasks/branch-cleanup \
             --remote-only \
             --yes \
-            --token "$GITHUB_TOKEN" \
             --cutoff "$CUTOFF"

mise-tasks/branch-cleanup

@@ -18,8 +18,9 @@ Detects merged branches via two methods:
   2. Forgejo API (catches squash-merged PRs)
 
 Remote branches are deleted via the Forgejo API. The token is resolved:
-  1. --token flag (for CI: pass $GITHUB_TOKEN)
-  2. 1Password: op read (for local use, prompts biometric)
+  1. --token flag (explicit)
+  2. FORGEJO_TOKEN environment variable (for CI)
+  3. 1Password: op read (for local use, prompts biometric)
 
 Local branches are deleted via git branch -D.
 
@@ -32,6 +33,7 @@ Usage:
     mise run branch-cleanup --dry-run        # preview only
 """
 
+import os
 import subprocess
 from datetime import datetime, timezone
 from typing import Annotated
@@ -60,9 +62,12 @@ def run_git(*args: str) -> str:
 
 
 def resolve_token(explicit_token: str | None, console: Console) -> str:
-    """Resolve Forgejo API token: explicit flag > 1Password."""
+    """Resolve Forgejo API token: explicit flag > FORGEJO_TOKEN env > 1Password."""
     if explicit_token:
         return explicit_token
+    env_token = os.environ.get("FORGEJO_TOKEN", "").strip()
+    if env_token:
+        return env_token
     console.print("[dim]Reading Forgejo API token from 1Password...[/dim]")
     try:
         result = subprocess.run(