eblume/project-template
Template
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

release.yaml: authenticate the version-resolution API calls
Some checks failed
Build / validate (push) Failing after 6s
Details

Browse source 
The /releases/latest and /releases/tags/X reads were unauthenticated. On
private repos Forgejo returns 404 to unauth'd callers, so the workflow
silently fell back to v0.0.0 as the "previous version" and let a
BUMP_PATCH on top of v1.x.y produce v0.0.1. The duplicate-tag guard had
the same blind spot — it could not detect existing releases at all.

Both reads now send the Authorization header and treat any non-200 /
non-404 response as a hard failure instead of swallowing it.
This commit is contained in:
Erich Blume 2026-05-11 10:07:39 -07:00
commit c46c303236
1 changed files with 27 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

31
.forgejo/workflows/release.yaml
View file

@ -41,19 +41,33 @@ jobs:
steps: steps:
- name: Resolve version - name: Resolve version
id: version id: version
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
set -euo pipefail
VERSION_TYPE="${{ inputs.version_type }}" VERSION_TYPE="${{ inputs.version_type }}"
SPECIFIC_VERSION="${{ inputs.specific_version }}" SPECIFIC_VERSION="${{ inputs.specific_version }}"
FORGE_URL="${{ github.server_url }}/api/v1/repos/${{ github.repository }}" FORGE_URL="${{ github.server_url }}/api/v1/repos/${{ github.repository }}"
echo "Fetching latest release..." echo "Fetching latest release..."
LATEST=$(curl -s "${FORGE_URL}/releases/latest" | jq -r '.tag_name // empty' || true) # Private repos return 404 to unauthenticated callers, so the auth
# header is required even though "latest release" reads like public
# info. Without it the curl 404s, falls back to v0.0.0, and a
# BUMP_PATCH on top of v1.x.y silently produces v0.0.1.
LATEST_STATUS=$(curl -s -o /tmp/latest.json -w "%{http_code}" \
-H "Authorization: token $GITHUB_TOKEN" \
"${FORGE_URL}/releases/latest")
if [ -z "$LATEST" ]; then if [ "$LATEST_STATUS" = "200" ]; then
LATEST=$(jq -r '.tag_name' < /tmp/latest.json)
echo "Latest release: $LATEST"
elif [ "$LATEST_STATUS" = "404" ]; then
LATEST="v0.0.0" LATEST="v0.0.0"
echo "No previous releases found, using base version: $LATEST" echo "No previous releases found, using base version: $LATEST"
else else
echo "Latest release: $LATEST" echo "Error: unexpected HTTP $LATEST_STATUS fetching latest release"
cat /tmp/latest.json
exit 1
fi fi
CURRENT="${LATEST#v}" CURRENT="${LATEST#v}"
@ -92,9 +106,18 @@ jobs:
;; ;;
esac esac
if curl -sf "${FORGE_URL}/releases/tags/$VERSION" > /dev/null 2>&1; then # Same auth requirement: on a private repo, an unauthenticated
# curl always 404s here, which would silently disable the
# "release already exists" guard.
EXISTS_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: token $GITHUB_TOKEN" \
"${FORGE_URL}/releases/tags/$VERSION")
if [ "$EXISTS_STATUS" = "200" ]; then
echo "Error: Release $VERSION already exists" echo "Error: Release $VERSION already exists"
exit 1 exit 1
elif [ "$EXISTS_STATUS" != "404" ]; then
echo "Error: unexpected HTTP $EXISTS_STATUS checking for existing release"
exit 1
fi fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "version=$VERSION" >> "$GITHUB_OUTPUT"