release: pass --repo to gh release download in attest workflow

Fernando Pinho · Fernando Pinho · commit 031d1ababb10 · 2026-05-25T16:57:34.000+02:00
The attest workflow doesn't actions/checkout first (it doesn't need the
source tree, only the binaries), so `gh release download` fails with
"fatal: not a git repository" because gh tries to infer the repo from
the working directory.

Fix: pass `--repo ${{ github.repository }}` explicitly.

Caught by the manual workflow_dispatch for v0.1.8.
diff --git a/.github/workflows/attest.yml b/.github/workflows/attest.yml
@@ -57,7 +57,13 @@ jobs:
           mkdir release-assets
           # Skip the source tarballs and installers — only the binaries
           # (`skillctl-*.tar.xz` / `*.zip`) need cryptographic provenance.
+          # `--repo` is required because we don't `actions/checkout` first
+          # (the workflow doesn't need the source tree — only the binaries
+          # from the release). Without it, `gh` tries to infer the repo
+          # from the working directory's git config and fails with
+          # "not a git repository".
           gh release download "$TAG" \
+            --repo "${{ github.repository }}" \
             --dir release-assets \
             --pattern 'skillctl-*-apple-darwin*' \
             --pattern 'skillctl-*-unknown-linux-gnu*' \
