From 9497354cfde664e46540fa2436ba79c0ea3b3d90 Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Sun, 16 Jul 2023 17:16:15 -0700 Subject: [PATCH] Rewrite asset deploy. This switches to `gh` which is the more modern CLI, and also available by default which removes the old installer script. This also tightens the scope where GITHUB_TOKEN is exposed to just the step where `gh` is executed. Finally, it tightens the permissions on the GITHUB_TOKEN (though `contents: write` is extremely permissive, since that allows writing to almost anything in the repo). --- .github/workflows/deploy.yml | 11 +++++++---- ci/install-hub.sh | 24 ------------------------ ci/make-release-asset.sh | 7 ++++--- 3 files changed, 11 insertions(+), 31 deletions(-) delete mode 100755 ci/install-hub.sh diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index af538808..33f0905e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -7,6 +7,9 @@ defaults: run: shell: bash +permissions: + contents: write + jobs: release: name: Deploy Release @@ -32,14 +35,14 @@ jobs: os: windows-latest steps: - uses: actions/checkout@master - - name: Install hub - run: ci/install-hub.sh ${{ matrix.os }} - name: Install Rust run: ci/install-rust.sh stable ${{ matrix.target }} - - name: Build and deploy artifacts + - name: Build asset + run: ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }} + - name: Update release with new asset env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }} + run: gh release upload $MDBOOK_TAG $MDBOOK_ASSET pages: name: GitHub Pages runs-on: ubuntu-latest diff --git a/ci/install-hub.sh b/ci/install-hub.sh deleted file mode 100755 index 38da2c8c..00000000 --- a/ci/install-hub.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env bash -# Installs the `hub` executable into hub/bin -set -ex -case $1 in - ubuntu*) - curl -LsSf https://github.com/github/hub/releases/download/v2.12.8/hub-linux-amd64-2.12.8.tgz -o hub.tgz - mkdir hub - tar -xzvf hub.tgz --strip=1 -C hub - ;; - macos*) - curl -LsSf https://github.com/github/hub/releases/download/v2.12.8/hub-darwin-amd64-2.12.8.tgz -o hub.tgz - mkdir hub - tar -xzvf hub.tgz --strip=1 -C hub - ;; - windows*) - curl -LsSf https://github.com/github/hub/releases/download/v2.12.8/hub-windows-amd64-2.12.8.zip -o hub.zip - 7z x hub.zip -ohub - ;; - *) - echo "OS should be first parameter, was: $1" - ;; -esac - -echo "$PWD/hub/bin" >> $GITHUB_PATH diff --git a/ci/make-release-asset.sh b/ci/make-release-asset.sh index 64ef84b9..1fb06ce8 100755 --- a/ci/make-release-asset.sh +++ b/ci/make-release-asset.sh @@ -44,9 +44,10 @@ case $1 in esac cd ../.. -if [[ -z "$GITHUB_TOKEN" ]] +if [[ -z "$GITHUB_ENV" ]] then - echo "$GITHUB_TOKEN not set, skipping deploy." + echo "GITHUB_ENV not set, run: gh release upload $TAG target/$asset" else - hub release edit -m "" --attach $asset $TAG + echo "MDBOOK_TAG=$TAG" >> $GITHUB_ENV + echo "MDBOOK_ASSET=target/$asset" >> $GITHUB_ENV fi