docs: mark CI release verified; note releases must be public for the installer

The Gitea Actions workflow published v0.4.0 successfully, so drop the "untested"
caveat. Document that release assets download anonymously — the repo/releases must
be public or install.sh gets a 404 (private repos 404 unauthenticated downloads).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitea/workflows/release.yml

@@ -4,8 +4,8 @@
 #
 # Requires: Gitea Actions enabled with a runner that has Go, make, curl, and jq
 # (the actions/checkout + actions/setup-go steps need the instance's Actions proxy).
-# This workflow has not been exercised against this repo's runners yet; if a step
-# is unavailable on your runner, the same result comes from `make release && make
+# Verified: this workflow published v0.4.0 on this instance. If a step is ever
+# unavailable on your runner, the same result comes from `make release && make
 # publish` locally (see RELEASING.md).
 name: release
 on:

RELEASING.md

@@ -39,8 +39,12 @@ git push origin v0.4.0     # (push via the tokenized HTTPS URL this repo uses)
 ```
 
 The workflow runs `make release` and uploads the assets to the release via the Gitea API. It needs
-Gitea Actions enabled with a runner that provides Go, make, curl, and jq. It hasn't been exercised
-against this repo's runners yet — if it doesn't fit your runner setup, fall back to Option A.
+Gitea Actions enabled with a runner that provides Go, make, curl, and jq. This is how v0.4.0 was
+published. If it ever doesn't fit your runner setup, fall back to Option A.
+
+> Note: release asset downloads are anonymous, so the repository (or at least its releases) must be
+> public for `skills/emcli/scripts/install.sh` to fetch binaries without a token. A private repo
+> returns 404 to unauthenticated downloads.
 
 ## After a release