diff --git a/scripts/gitea-init.sh b/scripts/gitea-init.sh
index 07b09d2e..bf9eea49 100755
--- a/scripts/gitea-init.sh
+++ b/scripts/gitea-init.sh
@@ -6,16 +6,24 @@
 # Runs database migrations, creates the admin user (if credentials are provided
 # and the user doesn't already exist), then starts the Gitea web server.
 #
-# This script is exec'd by /usr/bin/entrypoint, which has already:
-#   - Set up UID/GID
-#   - Created directories with correct permissions
-#   - Converted GITEA__* env vars into /data/gitea/conf/app.ini
+# The Gitea entrypoint (/usr/bin/entrypoint) has already:
+#   - Set up UID/GID, created directories, generated app.ini from GITEA__* env vars
+# But it exec's our CMD still as root — Gitea refuses to run as root.
+# We must drop to the 'git' user before running any gitea commands.
 # =============================================================================
 set -e
 
 PREFIX="[gitea-init]"
 log()  { echo "$PREFIX $1"; }
 
+# Drop privileges: Gitea refuses to run as root. The Docker entrypoint
+# sets up directories as root, then exec's the CMD (us) — still as root.
+# Re-exec this script as the 'git' user via su-exec.
+if [ "$(id -u)" = "0" ]; then
+  log "Dropping to git user..."
+  exec su-exec git "$0" "$@"
+fi
+
 # --- Step 1: Run database migrations ---
 log "Running database migrations..."
 MIGRATE_OK=false