diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index f28ec6c..fca6731 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -61,8 +61,10 @@ jobs:
       - name: Build & push image
         run: scripts/build-image.sh push
 
-      - name: Open digest-bump PR to home-ops
+      - name: Push digest-bump branch to home-ops
         env:
           HOME_OPS_SSH_KEY: ${{ secrets.HOME_OPS_SSH_KEY }}
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          # Optional: set secrets.HOMEOPS_PR_TOKEN to auto-open the PR. Unset = push branch only
+          # (you open+merge the PR — the approval gate). NOT GITEA_TOKEN (Gitea auto-injects that).
+          HOMEOPS_PR_TOKEN: ${{ secrets.HOMEOPS_PR_TOKEN }}
         run: scripts/bump-digest.sh
diff --git a/scripts/bump-digest.sh b/scripts/bump-digest.sh
index a55ae58..88bd859 100755
--- a/scripts/bump-digest.sh
+++ b/scripts/bump-digest.sh
@@ -51,9 +51,11 @@ git push origin "${BRANCH}"
 # --- PR (never auto-merge) -------------------------------------------------
 # Default (least-privilege): just push the branch — Jonathon opens+merges the PR (the approval
 # gate + the ArgoCD trigger). Only auto-open a PR if a GITEA_TOKEN is provided.
-if [[ -n "${GITEA_TOKEN:-}" ]]; then
+# NB: use a dedicated var name (NOT GITEA_TOKEN) — Gitea auto-injects GITEA_TOKEN into every job,
+# which would wrongly trigger this against the private instance. Default path just pushes the branch.
+if [[ -n "${HOMEOPS_PR_TOKEN:-}" ]]; then
   curl -fsSL -X POST "${GITEA_API}/repos/jwrong96/home-ops/pulls" \
-    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Authorization: token ${HOMEOPS_PR_TOKEN}" \
     -H "Content-Type: application/json" \
     -d "{\"head\":\"${BRANCH}\",\"base\":\"main\",\"title\":\"bztmon-site: deploy ${TAG}\",\"body\":\"Automated digest bump.\\n\\nImage: \`${REF}\`\\n\\nMerge to roll out via ArgoCD.\"}"
   echo ">> PR opened for ${BRANCH}"
diff --git a/src/components/Hero.astro b/src/components/Hero.astro
index 9f753c9..f541db6 100644
--- a/src/components/Hero.astro
+++ b/src/components/Hero.astro
@@ -54,7 +54,11 @@ import { cvAvailable } from "../lib/assets";
   }
   .hero__title {
     font-size: var(--step-5);
+    line-height: 1.12;
     letter-spacing: -0.03em;
+    /* Extend the paint box below the baseline so background-clip:text doesn't
+       crop glyph descenders (the "g" in Wright). */
+    padding-bottom: 0.14em;
     background: linear-gradient(180deg, var(--text), color-mix(in srgb, var(--text) 62%, var(--accent)));
     -webkit-background-clip: text;
     background-clip: text;