diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml
index 1180c45c..5b3b5e62 100644
--- a/.github/workflows/merge.yml
+++ b/.github/workflows/merge.yml
@@ -3,11 +3,6 @@
 # has read permissions since the merge is coming from a fork (usually).
 name: merge-labeler
 
-# https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#repository-permissions-for-pull-requests
-permissions:
-    pull-requests: write
-    issues: write
-
 # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
 on:
   pull_request:
@@ -15,14 +10,14 @@ on:
       - closed
 
 jobs:
-  accept:
+  relabel:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    environment: merge
     steps:
     - uses: actions/checkout@v3
-    - run: |
-        echo ${{ github.token }} | cat >> .token
-        echo REPO ${{ github.repository }}
-        echo ID ${{ github.event.number }}
+      env:
+        MERGE_TOKEN: ${{ secrets.MERGE_TOKEN }}
+      run: |
         perl util/merge-labeler  ${{ github.repository }} ${{ github.event.number }}
 
diff --git a/util/merge-labeler b/util/merge-labeler
index a5db3146..749c8190 100755
--- a/util/merge-labeler
+++ b/util/merge-labeler
@@ -31,17 +31,12 @@ sub add_labels {
 	}
 
 sub curl {
-	state $token = do {
-		open my $fh, '<', '.token';
-		chomp( my $line = <$fh> );
-		$line;
-		};
+	state $token = $ENV{MERGE_TOKEN};
 
 	my( $method, @extra ) = @_;
 
 	my $command = [
 		'curl',
-		'-v',
 		'--silent',
 		'-X', $method,
 		'-H',  q('Accept: application/vnd.github.v3+json'),