Skip to content

Fix #471: chore: replace softprops/action-gh-release with gh CLI in p...#488

Open
JiwaniZakir wants to merge 1 commit intoNVIDIA-NeMo:mainfrom
JiwaniZakir:fix/471-chore-replace-softprops-action-gh-releas
Open

Fix #471: chore: replace softprops/action-gh-release with gh CLI in p...#488
JiwaniZakir wants to merge 1 commit intoNVIDIA-NeMo:mainfrom
JiwaniZakir:fix/471-chore-replace-softprops-action-gh-releas

Conversation

@JiwaniZakir
Copy link
Copy Markdown

@JiwaniZakir JiwaniZakir commented Apr 2, 2026

Closes #471

Replaces the softprops/action-gh-release@v2 third-party action in the pack-tutorials workflow with a native gh release upload CLI call.

Changes

.github/workflows/pack-tutorials.yml (lines 68–73): The Upload zip file as release asset step no longer uses softprops/action-gh-release@v2. The uses/with block (specifying tag_name, files, draft, and prerelease) is replaced with an env/run block that authenticates via GH_TOKEN: ${{ github.token }} and executes gh release upload "${{ steps.get_release.outputs.tag }}" "${{ env.ZIP_FILE_NAME }}" directly. Net change: -5 lines, +3 lines.

Motivation

softprops/action-gh-release is a personally-maintained action pinned via a mutable v2 tag — the same supply chain risk pattern exploited in CVE-2025-30066 (tj-actions/changed-files). A compromised or tampered tag would silently execute arbitrary code with the workflow's token during a release.

Additionally, the action currently runs on Node.js 20. GitHub will deprecate Node.js 20 runner support on September 16, 2026, and no Node.js 24-compatible release of this action exists yet, meaning the step would begin emitting warnings after June 2, 2026 and break entirely by September.

gh is pre-installed on all GitHub-hosted runners and is maintained by GitHub directly, eliminating the third-party dependency with no functional change to the upload behavior.

Testing

Verify by triggering the pack-tutorials workflow against a test release tag and confirming:

  1. The workflow completes without error on the Upload zip file as release asset step.
  2. The .zip archive named by ZIP_FILE_NAME appears as an asset on the target release (steps.get_release.outputs.tag).
  3. gh release view <tag> --json assets lists the uploaded file with the expected name and size.

This PR was created with AI assistance (Claude). The changes were reviewed by quality gates and a critic model before submission.

@JiwaniZakir JiwaniZakir requested a review from a team as a code owner April 2, 2026 08:36
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

I have read the DCO document and I hereby sign the DCO.

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Apr 2, 2026

Greptile Summary

This PR replaces the third-party softprops/action-gh-release@v2 action in .github/workflows/pack-tutorials.yml with a direct call to the pre-installed gh release upload CLI, eliminating a mutable-tag supply-chain risk while preserving identical upload behavior.

  • The replacement is functionally correct: gh release upload "<tag>" "<file>" authenticated via GH_TOKEN: ${{ github.token }} performs the same asset-upload operation as the removed action.
  • github.token and secrets.GITHUB_TOKEN are equivalent; no credential change occurs.
  • The job already carries permissions: contents: write (line 16), which gh release upload requires — no permission changes are needed.
  • The removed draft: false / prerelease: false fields from the old action are irrelevant here: gh release upload only uploads an asset to an existing release and does not mutate release metadata. Given the workflow only fires on release: types: [published] or workflow_dispatch (which resolves the latest published tag), the release is always already published at this point, so those flags were redundant anyway.
  • No issues were found in the change.

Confidence Score: 5/5
  • Safe to merge — single-file, minimal-scope change that is a strict improvement in supply-chain hygiene with no functional regression.
  • The change is a direct, line-for-line equivalent substitution: same token, same tag expression, same file path. All required permissions are already present in the job. The removed draft/prerelease flags were no-ops given the workflow's trigger conditions. No logic errors or correctness issues were found.
  • No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/pack-tutorials.yml Replaces softprops/action-gh-release@v2 with native gh release upload CLI call; permissions, token, and tag variable are all correctly wired.

Sequence Diagram

 
sequenceDiagram
    participant T as Trigger (release/dispatch)
    participant GR as get_release step
    participant ZU as zip-upload step (NEW)
    participant GH as GitHub Releases API

    T->>GR: github.event.release.tag_name OR gh release view
    GR-->>ZU: steps.get_release.outputs.tag
    ZU->>GH: gh release upload "<tag>" "data_designer_tutorial.zip"<br/>(authenticated via GH_TOKEN)
    GH-->>ZU: asset uploaded successfully
Loading

Reviews (1): Last reviewed commit: "Replace softprops/action-gh-release with..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: replace softprops/action-gh-release with gh CLI in pack-tutorials workflow

1 participant

@JiwaniZakir