Download latest release asset from pipeline using curl

I have a CI pipeline that uploads a file to the generic package repository:

curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file myfile.txt "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${PKG}/${VERSION}/myfile.txt"

And references it in a release

- name: 'myfile'
  url: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${PKG}/${VERSION}/myfile.txt"
  filepath: '/myfile.txt'
  link_type: 'other'

This works fine and I can visit https://gitlab.com/${CI_PROJECT_PATH_SLUG}/-/releases/permalink/latest/downloads/myfile.txt in a browser to download the file as the latest release, as I’m logged in.

However if I attempt to download from a CI job using curl and the JOB-TOKEN:

curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" https://gitlab.com/${CI_PROJECT_PATH_SLUG}/-/releases/permalink/latest/downloads/myfile.txt

I get a redirect:

<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>

How do I download a latest release asset from a CI Job using curl?

when I download assets I usually have to use a different format in pipeline

DOWNLOAD_URL="https://gitlab.com/api/v4/projects/$PROJECT_ID/packages/generic/$PROJECT_NAME-$BRANCH/$PACKAGE_VERSION/filename"

generic may differ for other asset types like pypi etc…and notice the $PROJECT_NAME-$BRANCH … that is something I do but your naming scheme could differ

EDIT: also note that… you cannot just REUSE your CI token… you need to have a deploy token for either that repository you’re fetching OR a group-wide token