diff --git a/.gitea/workflows/secrets.yml b/.gitea/workflows/secrets.yml
index 23c606c..725f93f 100644
--- a/.gitea/workflows/secrets.yml
+++ b/.gitea/workflows/secrets.yml
@@ -140,37 +140,52 @@ jobs:
           [ -z "$changes" ] && changes="- 首次发布"
           body=$(printf '## 变更日志\n\n%s' "$changes")
 
-          payload=$(jq -n \
-            --arg tag "$tag" \
+          meta=$(jq -n \
             --arg name "secrets-mcp ${version}" \
             --arg body "$body" \
-            '{tag_name: $tag, name: $name, body: $body, draft: false}')
+            '{name: $name, body: $body, draft: false}')
 
-          # 若已存在同名 Release 则先删除（覆盖重发）
+          # 若已存在同名 Release，PATCH 更新（避免 DELETE+POST 触发唯一约束冲突）
           existing_code=$(curl -sS -o /tmp/existing-release.json -w '%{http_code}' \
             -H "Authorization: token $RELEASE_TOKEN" \
             "${release_api}/tags/${tag}")
+
           if [ "$existing_code" = "200" ]; then
-            old_id=$(jq -r '.id // empty' /tmp/existing-release.json)
-            if [ -n "$old_id" ]; then
-              curl -sS -o /dev/null -H "Authorization: token $RELEASE_TOKEN" \
-                -X DELETE "${release_api}/${old_id}"
-              echo "已删除旧 Release: ${old_id}"
+            release_id=$(jq -r '.id // empty' /tmp/existing-release.json)
+            http_code=$(curl -sS -o /tmp/release.json -w '%{http_code}' \
+              -H "Authorization: token $RELEASE_TOKEN" \
+              -H "Content-Type: application/json" \
+              -X PATCH "${release_api}/${release_id}" -d "$meta")
+            echo "已更新旧 Release: ${release_id} (HTTP ${http_code})"
+
+            # 删除旧 assets，上传前清空
+            jq -r '.[].id' <<< "$(curl -sS \
+              -H "Authorization: token $RELEASE_TOKEN" \
+              "${release_api}/${release_id}/assets")" | while read -r aid; do
+              curl -sS -o /dev/null \
+                -H "Authorization: token $RELEASE_TOKEN" \
+                -X DELETE "${release_api}/${release_id}/assets/${aid}"
+            done
+          else
+            # 首次创建
+            create_payload=$(jq -n \
+              --arg tag "$tag" \
+              --arg name "secrets-mcp ${version}" \
+              --arg body "$body" \
+              '{tag_name: $tag, name: $name, body: $body, draft: false}')
+            http_code=$(curl -sS -o /tmp/release.json -w '%{http_code}' \
+              -H "Authorization: token $RELEASE_TOKEN" \
+              -H "Content-Type: application/json" \
+              -X POST "$release_api" -d "$create_payload")
+            if [ "$http_code" != "201" ] && [ "$http_code" != "200" ]; then
+              echo "创建 Release 失败 (HTTP ${http_code})"
+              cat /tmp/release.json || true
+              exit 1
             fi
+            release_id=$(jq -r '.id' /tmp/release.json)
+            echo "已创建 Release: ${release_id}"
           fi
 
-          http_code=$(curl -sS -o /tmp/release.json -w '%{http_code}' \
-            -H "Authorization: token $RELEASE_TOKEN" \
-            -H "Content-Type: application/json" \
-            -X POST "$release_api" -d "$payload")
-
-          if [ "$http_code" != "201" ] && [ "$http_code" != "200" ]; then
-            echo "创建 Release 失败 (HTTP ${http_code})"
-            cat /tmp/release.json || true
-            exit 1
-          fi
-          release_id=$(jq -r '.id' /tmp/release.json)
-
           bin="target/${MUSL_TARGET}/release/${MCP_BINARY}"
           archive="${MCP_BINARY}-${tag}-x86_64-linux-musl.tar.gz"
           tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")"