Rewrite asset deploy.

This switches to `gh` which is the more modern CLI, and also
available by default which removes the old installer script.

This also tightens the scope where GITHUB_TOKEN is exposed to just
the step where `gh` is executed.

Finally, it tightens the permissions on the GITHUB_TOKEN (though
`contents: write` is extremely permissive, since that allows writing to
almost anything in the repo).
This commit is contained in:
Eric Huss 2023-07-16 17:16:15 -07:00
parent baa936439d
commit 9497354cfd
3 changed files with 11 additions and 31 deletions

View file

@ -7,6 +7,9 @@ defaults:
run:
shell: bash
permissions:
contents: write
jobs:
release:
name: Deploy Release
@ -32,14 +35,14 @@ jobs:
os: windows-latest
steps:
- uses: actions/checkout@master
- name: Install hub
run: ci/install-hub.sh ${{ matrix.os }}
- name: Install Rust
run: ci/install-rust.sh stable ${{ matrix.target }}
- name: Build and deploy artifacts
- name: Build asset
run: ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }}
- name: Update release with new asset
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }}
run: gh release upload $MDBOOK_TAG $MDBOOK_ASSET
pages:
name: GitHub Pages
runs-on: ubuntu-latest

View file

@ -1,24 +0,0 @@
#!/usr/bin/env bash
# Installs the `hub` executable into hub/bin
set -ex
case $1 in
ubuntu*)
curl -LsSf https://github.com/github/hub/releases/download/v2.12.8/hub-linux-amd64-2.12.8.tgz -o hub.tgz
mkdir hub
tar -xzvf hub.tgz --strip=1 -C hub
;;
macos*)
curl -LsSf https://github.com/github/hub/releases/download/v2.12.8/hub-darwin-amd64-2.12.8.tgz -o hub.tgz
mkdir hub
tar -xzvf hub.tgz --strip=1 -C hub
;;
windows*)
curl -LsSf https://github.com/github/hub/releases/download/v2.12.8/hub-windows-amd64-2.12.8.zip -o hub.zip
7z x hub.zip -ohub
;;
*)
echo "OS should be first parameter, was: $1"
;;
esac
echo "$PWD/hub/bin" >> $GITHUB_PATH

View file

@ -44,9 +44,10 @@ case $1 in
esac
cd ../..
if [[ -z "$GITHUB_TOKEN" ]]
if [[ -z "$GITHUB_ENV" ]]
then
echo "$GITHUB_TOKEN not set, skipping deploy."
echo "GITHUB_ENV not set, run: gh release upload $TAG target/$asset"
else
hub release edit -m "" --attach $asset $TAG
echo "MDBOOK_TAG=$TAG" >> $GITHUB_ENV
echo "MDBOOK_ASSET=target/$asset" >> $GITHUB_ENV
fi