From 6e299d2dd8ea5a665fb1d977ae882b5d3c8923f6 Mon Sep 17 00:00:00 2001
From: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Date: Sun, 26 Apr 2026 16:27:31 -0300
Subject: [PATCH] docs: note GITHUB_TOKEN need for nightly resolution

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 4ee1201..e4a3dce 100644
--- a/README.md
+++ b/README.md
@@ -96,6 +96,11 @@ checksums file against the GoReleaser release workflow's OIDC identity. If
 > versions the cosign step is silently skipped — only the `checksums.txt`
 > SHA-256 verification runs.
 
+> **Note**: when `version: nightly` is used, the action resolves the
+> latest immutable `vX.Y.Z-<sha>-nightly` release from the GitHub
+> Releases API. Pass `GITHUB_TOKEN` to the action step (as in the example
+> above) to avoid unauthenticated API rate limits.
+
 To enable signature verification, install cosign before running the action:
 
 ```yaml