workflows: replace softprops/action-gh-release with gh CLI

harshita-gupta · harshita-gupta · commit 2273b5892b0d · 2026-04-22T19:22:04.000-07:00
Supply-chain hardening: softprops/action-gh-release is a single-maintainer third-party action pinned to the mutable @v1 tag. Replacing it with the first-party `gh` CLI (pre-installed on GitHub-hosted runners, maintained by GitHub) removes that dependency from the release-upload path. Follow-up to #18, which migrated build-node-packages.yml. This migrates the remaining three workflows that still used the action: - build-node.yml - build-node-fibers.yml - build-node-openssl-fips.yml Each Upload step becomes: - view-or-create guard so the first matrix arm creates the release (and the second arm tolerates the race); - `gh release upload --clobber` for the asset (matches softprops's always-delete-then-upload behavior on name collision); - `gh release edit --title` to preserve softprops's behavior of always re-setting the release name on every upload. Each job also picks up `REPO: ${{ github.repository }}` in its env block for consistency with the pattern established in #18.
diff --git a/.github/workflows/build-node-fibers.yml b/.github/workflows/build-node-fibers.yml
@@ -22,6 +22,7 @@ jobs:
 
     env:
       NODE_VERSION: v20.18.3
+      REPO: ${{ github.repository }}
 
     steps:
       - name: Debug Matrix Values
@@ -78,10 +79,22 @@ jobs:
           tar -czf "$ARCHIVE_NAME" -C "$(dirname "$FIBERS_DIR")" "$(basename "$FIBERS_DIR")"
 
       - name: Upload archive to release
-        uses: softprops/action-gh-release@v1
-        with:
-          name: node-${{ env.NODE_VERSION }}-LATEST
-          tag_name: node-${{ env.NODE_VERSION }}-release
-          files: ${{ env.ARCHIVE_NAME }}
+        # Use `gh release upload` (first-party GitHub CLI, pre-installed on runners)
+        # instead of softprops/action-gh-release (one-maintainer third-party action).
+        # The view-or-create guard is race-safe under the matrix and also handles the
+        # workflow_dispatch case where the release may not yet exist. `--clobber`
+        # overwrites an existing asset with the same name, matching softprops's
+        # default. `gh release edit --title` preserves softprops's behavior of always
+        # re-setting the release name on every upload.
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          TAG="node-${NODE_VERSION}-release"
+          RELEASE_NAME="node-${NODE_VERSION}-LATEST"
+          if ! gh release view "$TAG" --repo "$REPO" >/dev/null 2>&1; then
+            gh release create "$TAG" --title "$RELEASE_NAME" --notes "" --repo "$REPO" \
+              || gh release view "$TAG" --repo "$REPO" >/dev/null
+          fi
+          gh release upload "$TAG" "$ARCHIVE_NAME" --clobber --repo "$REPO"
+          gh release edit "$TAG" --title "$RELEASE_NAME" --repo "$REPO"
diff --git a/.github/workflows/build-node-openssl-fips.yml b/.github/workflows/build-node-openssl-fips.yml
@@ -46,6 +46,7 @@ jobs:
     env:
       S3_BUCKET: your-bucket-name
       AWS_REGION: us-east-1
+      REPO: ${{ github.repository }}
 
     steps:
       - name: Checkout Node fork
@@ -148,10 +149,24 @@ jobs:
           path: artifacts/${{ env.NODE_ARCHIVE_LATEST }}
 
       - name: Upload Node archive to release
-        uses: softprops/action-gh-release@v1
-        with:
-          name: node-${{ env.NODE_VERSION }}-fips-static-LATEST
-          tag_name: node-${{ env.NODE_VERSION }}-fips-static-release
-          files: ./artifacts/${{ env.NODE_ARCHIVE_LATEST }}
+        # Use `gh release upload` (first-party GitHub CLI, pre-installed on runners)
+        # instead of softprops/action-gh-release (one-maintainer third-party action).
+        # The view-or-create guard is race-safe under the matrix: if the sibling
+        # job creates the release first, `gh release create` fails and the second
+        # `gh release view` confirms the release now exists. `--clobber` overwrites
+        # an existing asset with the same name, matching softprops's default. The
+        # final `gh release edit --title` preserves softprops's behavior of always
+        # re-setting the release name on every upload.
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          TAG="node-${NODE_VERSION}-fips-static-release"
+          RELEASE_NAME="node-${NODE_VERSION}-fips-static-LATEST"
+          FILE="./artifacts/${NODE_ARCHIVE_LATEST}"
+          if ! gh release view "$TAG" --repo "$REPO" >/dev/null 2>&1; then
+            gh release create "$TAG" --title "$RELEASE_NAME" --notes "" --repo "$REPO" \
+              || gh release view "$TAG" --repo "$REPO" >/dev/null
+          fi
+          gh release upload "$TAG" "$FILE" --clobber --repo "$REPO"
+          gh release edit "$TAG" --title "$RELEASE_NAME" --repo "$REPO"
diff --git a/.github/workflows/build-node.yml b/.github/workflows/build-node.yml
@@ -26,6 +26,7 @@ jobs:
     env:
       S3_BUCKET: your-bucket-name
       AWS_REGION: us-east-1
+      REPO: ${{ github.repository }}
 
     steps:
       - name: Checkout Node fork
@@ -97,10 +98,24 @@ jobs:
           path: artifacts/${{ env.NODE_ARCHIVE_LATEST }}
 
       - name: Upload Node archive to release
-        uses: softprops/action-gh-release@v1
-        with:
-          name: node-${{ env.NODE_VERSION }}-LATEST
-          tag_name: node-${{ env.NODE_VERSION }}-release
-          files: ./artifacts/${{ env.NODE_ARCHIVE_LATEST }}
+        # Use `gh release upload` (first-party GitHub CLI, pre-installed on runners)
+        # instead of softprops/action-gh-release (one-maintainer third-party action).
+        # The view-or-create guard is race-safe under the matrix: if the sibling
+        # job creates the release first, `gh release create` fails and the second
+        # `gh release view` confirms the release now exists. `--clobber` overwrites
+        # an existing asset with the same name, matching softprops's default. The
+        # final `gh release edit --title` preserves softprops's behavior of always
+        # re-setting the release name on every upload.
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          TAG="node-${NODE_VERSION}-release"
+          RELEASE_NAME="node-${NODE_VERSION}-LATEST"
+          FILE="./artifacts/${NODE_ARCHIVE_LATEST}"
+          if ! gh release view "$TAG" --repo "$REPO" >/dev/null 2>&1; then
+            gh release create "$TAG" --title "$RELEASE_NAME" --notes "" --repo "$REPO" \
+              || gh release view "$TAG" --repo "$REPO" >/dev/null
+          fi
+          gh release upload "$TAG" "$FILE" --clobber --repo "$REPO"
+          gh release edit "$TAG" --title "$RELEASE_NAME" --repo "$REPO"
