ci: replace archived release actions with gh CLI#42
Open
matreurai wants to merge 1 commit into
Open
Conversation
actions/create-release@v1 and actions/upload-release-asset@v1 are archived and run only on the deprecated Node 20 runtime, with no newer version to upgrade to. Replace them with GitHub's pre-installed gh CLI (gh release create), avoiding any new third-party action. A staging step keeps released assets named TCASVS-<tag>. References NEW_TAG via the shell env rather than templating expressions into run blocks to avoid script-injection patterns.
There was a problem hiding this comment.
Pull request overview
This PR updates the release workflow to stop using the archived actions/create-release@v1 and actions/upload-release-asset@v1 actions, and instead create releases and upload assets using the pre-installed gh CLI.
Changes:
- Stage built artifacts into a
release-assets/directory with the desiredTCASVS-<tag>.*naming. - Create a GitHub Release via
gh release createand upload the staged assets in one step.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+86
to
+90
| cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.pdf release-assets/TCASVS-${{ env.NEW_TAG }}.pdf | ||
| cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.docx release-assets/TCASVS-${{ env.NEW_TAG }}.docx | ||
| cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.json release-assets/TCASVS-${{ env.NEW_TAG }}.json | ||
| cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.csv release-assets/TCASVS-${{ env.NEW_TAG }}.csv | ||
| cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.cdx.json release-assets/TCASVS-${{ env.NEW_TAG }}.cdx.json |
Collaborator
There was a problem hiding this comment.
@matreurai - I was concerned about this interpolation too, so asked for a Copilot review.
Could you take a look and see what you think of it's suggestion please. I'm asking as IDK if you had to do it the way that you did in the PR or not?
Plus, my feeling is that even if risk is low, we should tighten up anyway (as a general rule)?
Comment on lines
+97
to
+100
| gh release create "${{ env.NEW_TAG }}" \ | ||
| --title "TCASVS ${{ env.NEW_TAG }}" \ | ||
| --notes "Automated release ${{ env.NEW_TAG }}" \ | ||
| release-assets/* |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
actions/create-release@v1 and actions/upload-release-asset@v1 are archived and run only on the deprecated Node 20 runtime, with no newer version to upgrade to. Replace them with GitHub's pre-installed gh CLI (gh release create), avoiding any new third-party action. A staging step keeps released assets named TCASVS-. References NEW_TAG via the shell env rather than templating expressions into run blocks to avoid script-injection patterns.