diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b367bb9..aef2bf9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -143,12 +143,15 @@ jobs:
           attestations: true
           print-hash: true
 
+      # The publish job has no repository checkout, so `gh release upload`
+      # cannot infer the target repo from .git/config. Pass it explicitly
+      # via `--repo`.
       - name: Upload SBOM to GitHub Release
         env:
           GH_TOKEN: ${{ github.token }}
-        run: gh release upload "${{ github.ref_name }}" sbom.cdx.json --clobber
+        run: gh release upload "${{ github.ref_name }}" sbom.cdx.json --repo "${{ github.repository }}" --clobber
 
       - name: Upload SHA256SUMS to GitHub Release
         env:
           GH_TOKEN: ${{ github.token }}
-        run: gh release upload "${{ github.ref_name }}" SHA256SUMS.txt --clobber
+        run: gh release upload "${{ github.ref_name }}" SHA256SUMS.txt --repo "${{ github.repository }}" --clobber
diff --git a/Cargo.lock b/Cargo.lock
index a8fa33a..f6be3ac 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1209,9 +1209,9 @@ checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 
 [[package]]
 name = "rand"
-version = "0.9.2"
+version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
 dependencies = [
  "rand_chacha",
  "rand_core",