From 3920e3638907f45af0a507919315082fc613a37d Mon Sep 17 00:00:00 2001
From: Nelson Spence <nelson@projectnavi.ai>
Date: Fri, 29 May 2026 23:25:52 -0500
Subject: [PATCH] Set release repo context without checkout

Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
---
 .github/workflows/release.yml              | 2 ++
 tests/release_signed_release_invariants.sh | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c37aca2..850509a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -530,6 +530,7 @@ jobs:
         # registry artifact" half-state.
         env:
           GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
           TAG_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
@@ -738,5 +739,6 @@ jobs:
       - name: Publish the GitHub Release (un-draft)
         env:
           GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
           TAG_NAME: ${{ github.ref_name }}
         run: gh release edit "$TAG_NAME" --draft=false
diff --git a/tests/release_signed_release_invariants.sh b/tests/release_signed_release_invariants.sh
index eec5a30..2efc7c9 100755
--- a/tests/release_signed_release_invariants.sh
+++ b/tests/release_signed_release_invariants.sh
@@ -79,10 +79,13 @@ done
 # (2) release-assets-draft uploads every required asset class to the Release
 # ----------------------------------------------------------------------
 body_draft="$(job_body release-assets-draft)"
+github_repo_env_re='^[[:space:]]+GH_REPO:[[:space:]]*"?\$\{\{[[:space:]]*github\.repository[[:space:]]*\}\}"?[[:space:]]*$'
 for ext in '\.crate' '\.whl' '\.tar\.gz' '\.sigstore\.json' '\.intoto\.jsonl'; do
   printf '%s\n' "$body_draft" | grep -qE "dist/\*${ext}([^a-zA-Z]|$)" \
     || fail "release-assets-draft must \`gh release upload\` dist/*$(printf '%s' "$ext" | sed 's/\\//g')"
 done
+printf '%s\n' "$body_draft" | grep -qE "$github_repo_env_re" \
+  || fail "release-assets-draft must set \`GH_REPO: \${{ github.repository }}\` (no checkout, so gh release upload needs explicit repo context)"
 
 # ----------------------------------------------------------------------
 # (3) release-assets-draft must NOT un-draft (the dedicated un-draft job owns
@@ -185,5 +188,7 @@ done
 unp="$(job_body publish-github-release)"
 printf '%s\n' "$unp" | grep -qE 'gh release edit.*--draft=false' \
   || fail "publish-github-release must \`gh release edit <tag> --draft=false\` (this is the sole un-draft point)"
+printf '%s\n' "$unp" | grep -qE "$github_repo_env_re" \
+  || fail "publish-github-release must set \`GH_REPO: \${{ github.repository }}\` (no checkout, so gh release edit needs explicit repo context)"
 
 echo "OK: signed-release invariants hold."