From 552ef016e46e678b8efc85d7a78ede5831689e69 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 24 May 2026 21:55:48 +0200 Subject: [PATCH] Release: set GH_REPO so gh release can find the repo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v0.1.0 release run completed all the substantive steps — 4 binary builds, SBOM, SHA256SUMS, SLSA build provenance, cosign keyless sig — but the final "Create or update GitHub Release" step failed with: failed to run git: fatal: not a git repository (or any of the parent directories): .git The wohl checkout lives at `wohl/` (so the relay sibling can co-locate at `../relay`), so $GITHUB_WORKSPACE itself has no `.git`. `gh release view/create/upload` falls back to a git remote lookup and errors out. Setting `GH_REPO: ${{ github.repository }}` tells the gh CLI which repo to act on without needing git context. Re-running the workflow via workflow_dispatch on the existing tag v0.1.0 will redo the full pipeline — fresh OIDC, fresh sigs, fresh attestations — and upload everything. No retag needed. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5e7e9b0..b1f63c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -253,6 +253,13 @@ jobs: - name: Create or update GitHub Release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # The wohl checkout is at `wohl/` (not the workspace root, so + # we can co-locate the relay sibling at `../relay`). That means + # the workspace root has no `.git`, and `gh release ...` can't + # infer the repo via the normal git remote lookup. GH_REPO + # makes it explicit. Without this the step fails with + # `fatal: not a git repository`. + GH_REPO: ${{ github.repository }} # Untrusted-input safety: the tag name flows in via env: and is # dereferenced through $VERSION, never expanded into the shell. INPUT_TAG: ${{ inputs.tag }}