Skip to content

ci: replace archived release actions with gh CLI#42

Open
matreurai wants to merge 1 commit into
mainfrom
fix/release-action-node24
Open

ci: replace archived release actions with gh CLI#42
matreurai wants to merge 1 commit into
mainfrom
fix/release-action-node24

Conversation

@matreurai

Copy link
Copy Markdown
Collaborator

actions/create-release@v1 and actions/upload-release-asset@v1 are archived and run only on the deprecated Node 20 runtime, with no newer version to upgrade to. Replace them with GitHub's pre-installed gh CLI (gh release create), avoiding any new third-party action. A staging step keeps released assets named TCASVS-. References NEW_TAG via the shell env rather than templating expressions into run blocks to avoid script-injection patterns.

actions/create-release@v1 and actions/upload-release-asset@v1 are archived and run only on the deprecated Node 20 runtime, with no newer version to upgrade to. Replace them with GitHub's pre-installed gh CLI (gh release create), avoiding any new third-party action. A staging step keeps released assets named TCASVS-<tag>. References NEW_TAG via the shell env rather than templating expressions into run blocks to avoid script-injection patterns.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release workflow to stop using the archived actions/create-release@v1 and actions/upload-release-asset@v1 actions, and instead create releases and upload assets using the pre-installed gh CLI.

Changes:

  • Stage built artifacts into a release-assets/ directory with the desired TCASVS-<tag>.* naming.
  • Create a GitHub Release via gh release create and upload the staged assets in one step.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +86 to +90
cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.pdf release-assets/TCASVS-${{ env.NEW_TAG }}.pdf
cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.docx release-assets/TCASVS-${{ env.NEW_TAG }}.docx
cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.json release-assets/TCASVS-${{ env.NEW_TAG }}.json
cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.csv release-assets/TCASVS-${{ env.NEW_TAG }}.csv
cp ./5.0/dist/OWASP_Thick_Client_Application_Security_Verification_Standard_5.0.0_en.cdx.json release-assets/TCASVS-${{ env.NEW_TAG }}.cdx.json

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matreurai - I was concerned about this interpolation too, so asked for a Copilot review.

Could you take a look and see what you think of it's suggestion please. I'm asking as IDK if you had to do it the way that you did in the PR or not?

Plus, my feeling is that even if risk is low, we should tighten up anyway (as a general rule)?

Comment on lines +97 to +100
gh release create "${{ env.NEW_TAG }}" \
--title "TCASVS ${{ env.NEW_TAG }}" \
--notes "Automated release ${{ env.NEW_TAG }}" \
release-assets/*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants