Add scripts/sync-skills.sh that copies skills from this repo into the
basecamp/skills distribution repo on each tagged release. The release
workflow runs the script after a successful release, using the existing
GitHub App for authentication.

The script discovers skills via skills/*/SKILL.md, copies them
(excluding *.go and dotfiles), removes stale skills tracked by a
.managed-skills manifest, and commits with provenance metadata.
Safety guards validate the target remote URL (exact github.com host
match) and branch. Push failures from non-fast-forward are retried
once after rebase; other errors fail immediately.

DRY_RUN=local and DRY_RUN=remote modes support offline and
authenticated testing respectively. Makefile targets (sync-skills,
sync-skills-remote) expose these for manual use.

On sync failure, the workflow creates or comments on a deduplicated
issue in basecamp/skills and emits a ::error annotation.

- Reject '.' and '..' explicitly in manifest validation before the
  regex check, which would otherwise accept them
- Add SKILLS_TOKEN guard to sync-skills-remote Makefile target
- Wrap retry push in error handling so failures produce a clear message

When no .managed-skills manifest exists in the target repo, treat all
*/SKILL.md directories as previously managed so stale skills are
cleaned up on the first run rather than becoming permanent drift.

Also widen the manifest entry validator to accept mixed-case names.

- Set timeout-minutes: 10 on sync-skills job to match the convention
  set by the release job and avoid 6-hour hangs on network issues
- Redact credentials from the origin URL in assert_remote_url error
  messages so tokens are never logged

On first run (no .managed-skills manifest), all */SKILL.md directories
in the target are treated as managed. This is intentional — basecamp-cli
is the source of truth. DRY_RUN=remote can preview the effect.

Make variables aren't automatically exported as environment variables
to subprocesses — pass it explicitly like the other env vars.