workflows: replace softprops/action-gh-release with gh CLI (v24.13.0)#23
Draft
harshita-gupta wants to merge 1 commit intov24.13.0from
Draft
workflows: replace softprops/action-gh-release with gh CLI (v24.13.0)#23harshita-gupta wants to merge 1 commit intov24.13.0from
harshita-gupta wants to merge 1 commit intov24.13.0from
Conversation
Supply-chain hardening: softprops/action-gh-release is a single-maintainer third-party action pinned to the mutable @v1 tag. Replacing it with the first-party `gh` CLI (pre-installed on GitHub-hosted runners, maintained by GitHub) removes that dependency from the release-upload path. Migrates all three release-upload call-sites on v24.13.0: - build-node.yml - build-node-fibers.yml - build-node-packages.yml (v24.13.0 has no build-node-openssl-fips.yml.) Each Upload step becomes: - view-or-create guard so the first matrix arm creates the release (and the second arm tolerates the race); - `gh release upload --clobber` for the asset (matches softprops's always-delete-then-upload behavior on name collision); - `gh release edit --title` to preserve softprops's behavior of always re-setting the release name on every upload. Each job also picks up `REPO: ${{ github.repository }}` in its env block.
This was referenced Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DO NOT MERGE until canary PR #20 (main) is validated
This is part of the rollout of the softprops β gh-CLI migration across all Asana/node branches. The canary PR on main (#20) must be merged and end-to-end validated first. Merging this PR before then risks landing a regression on a production release branch with no safety net.
Validation checklist to complete on main (#20) before touching this PR
main.mainviaworkflow_dispatch. Both matrix arms (linux-x64,linux-arm64) succeed without a race failure ongh release create.node-vX.Y.Z-releaseexists with titlenode-vX.Y.Z-LATEST, and both architecture archives appear as assets.main. Assets appear; release title still correct.main. Assets appear; release title still correct.mainwith appropriateBUILD_REF. Assets appear in the separate-fips-static-releaserelease with the expected title. (Note: this branch has no FIPS workflow, but the FIPS migration on main exercises the same replacement-block shape.)sha256sumof an asset uploaded post-migration on main against one uploaded pre-migration β should match.Only after all of those pass β mark this PR ready for review and merge.
Summary
Supply-chain hardening:
softprops/action-gh-releaseis a single-maintainer third-party action pinned to the mutable@v1tag. Replacing it with the first-partyghCLI (pre-installed on GitHub-hosted runners, maintained by GitHub) removes that dependency from the release-upload path.Migrates all three release-upload call-sites on
v24.13.0:.github/workflows/build-node.yml.github/workflows/build-node-fibers.yml.github/workflows/build-node-packages.yml(v24.13.0 has no
build-node-openssl-fips.yml.)After this PR: zero references to
softprops/action-gh-releaseonv24.13.0.Replacement shape
Each softprops step becomes:
Each job gains
REPO: ${{ github.repository }}in its job-levelenv:.Note on triggers
On
v24.13.0, bothbuild-node-fibers.ymlandbuild-node-packages.ymlfire onpushto v24.13.0 (in addition toworkflow_dispatch) β they are NOT chained off Build Node viaworkflow_run. That means each can land in this code path BEFOREbuild-node.ymlhas run for a given NODE_VERSION, so the view-or-create guard is genuinely necessary on every file (not just onbuild-node.yml). The comments in each file reflect that.Divergence from main's post-migration shape
On
main,build-node-packages.ymluses a simpler upload pattern (plaingh release upload --clobber, no view-or-create guard, nogh release edit --title), under the assumption it always runs downstream ofbuild-node.yml(viaworkflow_run). Onv24.13.0that assumption doesn't hold (push trigger, not workflow_run), so the full pattern is the correct choice here β a simpler version would break standalone runs.Behavior deltas vs. softprops/action-gh-release@v1
See PR #20 for the full delta table. Summary: 7 no-op deltas, 3 covered by the replacement block (view-or-create, clobber, edit-title), 1 stricter-beneficial (missing-file fails loudly), 1 supply-chain benefit (the point of this work).
Post-merge test plan for this branch
v24.13.0(orworkflow_dispatch) triggers all three workflows. Each succeeds.node-v24.13.0-releasewith titlenode-v24.13.0-LATEST.sha256summatches pre-migration.