diff --git a/.github/actions/fetch-token/action.yml b/.github/actions/fetch-token/action.yml
new file mode 100644
index 0000000000..4141616641
--- /dev/null
+++ b/.github/actions/fetch-token/action.yml
@@ -0,0 +1,36 @@
+name: "Fetch GitHub Token from Pool"
+description: "Fetches a token from mise-versions token pool"
+inputs:
+  api-secret:
+    description: "API secret for mise-versions"
+    required: true
+outputs:
+  token:
+    description: "The GitHub token"
+    value: ${{ steps.fetch.outputs.token }}
+  token-id:
+    description: "Token ID for rate-limit reporting"
+    value: ${{ steps.fetch.outputs.token_id }}
+runs:
+  using: "composite"
+  steps:
+    - id: fetch
+      shell: bash
+      run: |
+        if [ -z "${{ inputs.api-secret }}" ]; then
+          echo "No API secret provided, skipping token fetch"
+          exit 0
+        fi
+        response=$(curl -sf -H "Authorization: Bearer ${{ inputs.api-secret }}" \
+          "https://mise-versions.jdx.dev/api/token" || true)
+        if [ -n "$response" ]; then
+          token=$(echo "$response" | jq -r '.token')
+          # Validate token looks like a GitHub token (starts with gh and has reasonable length)
+          if [[ "$token" =~ ^gh[a-z]_[A-Za-z0-9_]+$ ]] && [ ${#token} -ge 20 ]; then
+            echo "::add-mask::$token"
+            echo "token=$token" >> "$GITHUB_OUTPUT"
+            echo "token_id=$(echo "$response" | jq -r '.token_id')" >> "$GITHUB_OUTPUT"
+          else
+            echo "Invalid or missing token in response, skipping"
+          fi
+        fi
diff --git a/.github/workflows/registry.yml b/.github/workflows/registry.yml
index 8b24db206c..08681253bd 100644
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -94,6 +94,14 @@ jobs:
         tranche: ${{ fromJson(needs.list-changed-tools.outputs.tools == '' && '[0,1,2,3,4,5,6,7]' || '[0]') }}
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Fetch token from pool
+        id: token
+        uses: ./.github/actions/fetch-token
+        with:
+          api-secret: ${{ secrets.MISE_VERSIONS_API_SECRET }}
+      - name: Set GITHUB_TOKEN from pool
+        if: steps.token.outputs.token
+        run: echo "GITHUB_TOKEN=${{ steps.token.outputs.token }}" >> "$GITHUB_ENV"
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: mise
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ee4973265f..248486b7d6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -185,6 +185,14 @@ jobs:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
+      - name: Fetch token from pool
+        id: token
+        uses: ./.github/actions/fetch-token
+        with:
+          api-secret: ${{ secrets.MISE_VERSIONS_API_SECRET }}
+      - name: Set GITHUB_TOKEN from pool
+        if: steps.token.outputs.token
+        run: echo "GITHUB_TOKEN=${{ steps.token.outputs.token }}" >> "$GITHUB_ENV"
       - name: Install build and test dependencies
         run: |
           sudo apt-get update