diff --git a/.github/workflows/weekly-tag-scan.yml b/.github/workflows/weekly-tag-scan.yml
index 5298b80..4e69b12 100644
--- a/.github/workflows/weekly-tag-scan.yml
+++ b/.github/workflows/weekly-tag-scan.yml
@@ -43,7 +43,7 @@ jobs:
 
             - name: Compute new tags and manage PR
               env:
-                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  GH_TOKEN: ${{ secrets.PR_TOKEN }}
               run: |
                   # Collect lines added vs main (new tags).
                   # grep '^+[^+]' captures added lines but not the '+++' diff header.
@@ -93,7 +93,9 @@ jobs:
                   # any contributor commits. Otherwise create it fresh from main.
                   if git ls-remote --exit-code origin tag-scan/auto > /dev/null 2>&1; then
                       git fetch origin tag-scan/auto
+                      git stash
                       git checkout tag-scan/auto
+                      git stash pop
                   else
                       git checkout -b tag-scan/auto
                   fi
diff --git a/README.md b/README.md
index bbad68c..37d4965 100644
--- a/README.md
+++ b/README.md
@@ -96,6 +96,8 @@ Tags from GitHub topics and Hugging Face card metadata are free-form text, so th
 
 When first setting up your catalog, run the export script to generate a full list of your organization's current raw tags (saved to `scripts/tag-export.txt`), then use that list to build your initial `tag-groups.js`. A weekly GitHub Actions workflow will automatically open a pull request whenever 5 or more new tags (relative to the last committed baseline in `scripts/tag-export.txt`) are detected, keeping your tag groups up to date over time.
 
+> **Required secret:** The weekly tag scan workflow requires a fine-grained PAT stored as a repository secret named `PR_TOKEN` (Settings → Secrets and variables → Actions). The PAT must have **Pull requests: Read and write** permission on the catalog repo. 
+
 See **[docs/tag-grouping-process.md](docs/tag-grouping-process.md)** for full setup instructions, conventions, and guidance on using AI assistance for the initial grouping pass.
 
 ## Local Testing
diff --git a/docs/tag-grouping-process.md b/docs/tag-grouping-process.md
index 4ef3b4c..e1277d6 100644
--- a/docs/tag-grouping-process.md
+++ b/docs/tag-grouping-process.md
@@ -71,6 +71,10 @@ the GitHub and Hugging Face APIs, diffs them against the committed baseline in
 `scripts/tag-export.txt`, and opens (or updates) a pull request titled
 **`[Tag Scan] New tags detected — review tag-groups.js`** whenever 5 or more new tags appear.
 
+> **Prerequisite:** The workflow requires a fine-grained PAT stored as a repository secret named
+> `PR_TOKEN` with **Pull requests: Read and write** permission. Without it, the workflow will find
+> new tags and push the branch successfully, but fail when attempting to open the PR.
+
 You should update `public/tag-groups.js` when that PR is opened or updated.
 
 ---