Merge pull request 'Update https://code.forgejo.org/actions/setup-forgejo action to v2.0.11' (#49) from renovate/https-code.forgejo.org-actions-setup-forgejo-2.x into main

Reviewed-on: https://code.forgejo.org/actions/forgejo-release/pulls/49
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>

.forgejo/workflows/integration.yml

@@ -6,7 +6,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - id: forgejo
-        uses: https://code.forgejo.org/actions/setup-forgejo@v2.0.3
+        uses: https://code.forgejo.org/actions/setup-forgejo@v2.0.11
         with:
           user: testuser
           password: admin1234

.gitignore

@@ -1 +1,2 @@
 *~
+.idea

README.md

@@ -10,12 +10,12 @@ Upload or download the assets of a release to a Forgejo instance.
 
 | name | description | required | default |
 | --- | --- | --- | --- |
-| `url` | <p>URL of the Forgejo instance</p> | `false` | `""` |
+| `url` | <p>URL of the Forgejo instance</p> | `false` | `${{ env.GITHUB_SERVER_URL }}` |
-| `repo` | <p>owner/project relative to the URL</p> | `false` | `""` |
+| `repo` | <p>owner/project relative to the URL</p> | `false` | `${{ github.repository }}` |
-| `tag` | <p>Tag of the release</p> | `false` | `""` |
+| `tag` | <p>Tag of the release</p> | `false` | `${{ github.ref_name }}` |
 | `title` | <p>Title of the release (defaults to tag)</p> | `false` | `""` |
-| `sha` | <p>SHA of the release</p> | `false` | `""` |
+| `sha` | <p>SHA of the release</p> | `false` | `${{ github.sha }}` |
-| `token` | <p>Forgejo application token</p> | `true` | `""` |
+| `token` | <p>Forgejo application token</p> | `false` | `${{ secrets.GITHUB_TOKEN }}` |
 | `release-dir` | <p>Directory in whichs release assets are uploaded or downloaded</p> | `true` | `""` |
 | `release-notes` | <p>Release notes</p> | `false` | `""` |
 | `direction` | <p>Can either be <code>download</code> or <code>upload</code></p> | `true` | `""` |
@@ -37,16 +37,18 @@ Upload or download the assets of a release to a Forgejo instance.
 Upload the release located in `release-dir` to the release section of a repository (`url` and `repo`):
 
 ```yaml
-on: [tag]
 jobs:
   upload-release:
-    runs-on: ubuntu-latest
+    runs-on: docker
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
-      - uses: actions/forgejo-release@v2
+      - uses: actions/forgejo-release@v2.6.0
         with:
           direction: upload
-          url: https://code.forgejo.org
+          url: https://my-forgejo-instance.net
+          repo: myuser/myrepo
+          token: ${{ secrets.WRITE_TOKEN_TO_MYREPO }}
+          tag: v1.0.0
           release-dir: dist/release
           release-notes: "MY RELEASE NOTES"
 ```
@@ -56,24 +58,24 @@ jobs:
 Example downloading the forgejo release v1.21.4-0 into the working directory:
 
 ```yaml
-on: [tag]
 jobs:
   download-release:
-    runs-on: ubuntu-latest
+    runs-on: docker
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
-      - uses: actions/forgejo-release@v2
+      - uses: actions/forgejo-release@v2.6.0
         with:
           direction: download
-          url: https://code.forgejo.org
+          url: https://my-forgejo-instance.net
-          repo: forgejo/forgejo
+          repo: myuser/myrepo
-          tag: v1.21.4-0
+          token: ${{ secrets.READ_TOKEN_TO_MYREPO }}
+          tag: v1.0.0
           release-dir: ./  # by default, files are downloaded into dist/release
 ```
 
 ### Real world example
 
-This action is used to [publish](https://code.forgejo.org/forgejo/release-notes-assistant/src/branch/main/.forgejo/workflows/release.yml) the release notes assistant assets.
+This action is used to [publish](https://code.forgejo.org/forgejo/release-notes-assistant/src/commit/09f2c22d80d5ee655783cfeb2c1d4bab4afec3e4/.forgejo/workflows/release.yml) the release notes assistant assets.
 
 ## Update the `input` section of the README
 

action.yml

@@ -6,17 +6,21 @@ description: |
 inputs:
   url:
     description: 'URL of the Forgejo instance'
+    default: '${{ env.GITHUB_SERVER_URL }}'
   repo:
     description: 'owner/project relative to the URL'
+    default: '${{ github.repository }}'
   tag:
     description: 'Tag of the release'
+    default: '${{ github.ref_name }}'
   title:
     description: 'Title of the release (defaults to tag)'
   sha:
     description: 'SHA of the release'
+    default: '${{ github.sha }}'
   token:
     description: 'Forgejo application token'
-    required: true
+    default: '${{ secrets.GITHUB_TOKEN }}'
   release-dir:
     description: 'Directory in whichs release assets are uploaded or downloaded'
     required: true
@@ -57,9 +61,6 @@ runs:
       shell: bash
     - run: |
         export FORGEJO="${{ inputs.url }}"
-        if test -z "$FORGEJO"; then
-          export FORGEJO="${{ env.GITHUB_SERVER_URL }}"
-        fi
         # A trailing / will mean http://forgejo//api/v1 is used
         # and it always 401 as of v1.19, because of the double slash
         FORGEJO=${FORGEJO%%/}
@@ -67,17 +68,8 @@ runs:
         export HOST=${FORGEJO#*://}
 
         export REPO="${{ inputs.repo }}"
-        if test -z "$REPO"; then
-          export REPO="${{ github.repository }}"
-        fi
 
         export TAG="${{ inputs.tag }}"
-        if test -z "$TAG"; then
-          export TAG="${{ github.ref_name }}"
-          # until https://code.forgejo.org/forgejo/runner/issues/9 is fixed
-          # trim refs/tags/
-          TAG=${TAG##refs/tags/}
-        fi
 
         export TITLE="${{ inputs.title }}"
 
@@ -99,9 +91,6 @@ runs:
         )
 
         export SHA="${{ inputs.sha }}"
-        if test -z "$SHA"; then
-          export SHA="${{ github.sha }}"
-        fi
 
         export OVERRIDE="${{ inputs.override }}"
 

forgejo-release.sh

@@ -19,46 +19,83 @@ if ${VERBOSE:-false}; then set -x; fi
 : ${RETRY:=1}
 : ${DELAY:=10}
 
+TAG_FILE="$TMP_DIR/tag$$.json"
+
 export GNUPGHOME
 
 setup_tea() {
-    if ! test -f $BIN_DIR/tea ; then
+    if ! test -f "$BIN_DIR"/tea; then
-	ARCH=$(dpkg --print-architecture)
+        ARCH=$(dpkg --print-architecture)
-	curl -sL https://dl.gitea.io/tea/$TEA_VERSION/tea-$TEA_VERSION-linux-$ARCH > $BIN_DIR/tea
+        curl -sL https://dl.gitea.io/tea/$TEA_VERSION/tea-$TEA_VERSION-linux-"$ARCH" >"$BIN_DIR"/tea
-	chmod +x $BIN_DIR/tea
+        chmod +x "$BIN_DIR"/tea
+    fi
+}
+
+get_tag() {
+    if ! test -f "$TAG_FILE"; then
+        if api GET repos/$REPO/tags/"$TAG" >"$TAG_FILE"; then
+            echo "tag $TAG exists"
+        else
+            echo "tag $TAG does not exists"
+        fi
+    fi
+    test -s "$TAG_FILE"
+}
+
+matched_tag() {
+    if get_tag; then
+        local sha=$(jq --raw-output .commit.sha <"$TAG_FILE")
+        test "$sha" = "$SHA"
+    else
+        return 1
     fi
 }
 
 ensure_tag() {
-    if api GET repos/$REPO/tags/$TAG > $TMP_DIR/tag.json ; then
+    if get_tag; then
-	local sha=$(jq --raw-output .commit.sha < $TMP_DIR/tag.json)
+        if ! matched_tag; then
-	if test "$sha" != "$SHA" ; then
+            cat "$TAG_FILE"
-	    cat $TMP_DIR/tag.json
+            echo "the tag SHA in the $REPO repository does not match the tag SHA that triggered the build: $SHA"
-	    echo "the tag SHA in the $REPO repository does not match the tag SHA that triggered the build: $SHA"
+            return 1
-	    false
+        fi
-	fi
     else
-	api POST repos/$REPO/tags --data-raw '{"tag_name": "'$TAG'", "target": "'$SHA'"}'
+        create_tag
+    fi
+}
+
+create_tag() {
+    api POST repos/$REPO/tags --data-raw '{"tag_name": "'"$TAG"'", "target": "'"$SHA"'"}' >"$TAG_FILE"
+}
+
+delete_tag() {
+    if get_tag; then
+        api DELETE repos/$REPO/tags/$TAG
+        rm -f "$TAG_FILE"
     fi
 }
 
 upload_release() {
-    local assets=$(ls $RELEASE_DIR/* | sed -e 's/^/-a /')
+    # assets is defined as a list of arguments, where values may contain whitespace and need to be quoted like this -a "my file.txt" -a "file.txt".
-    if $PRERELEASE || echo "${TAG}" | grep -qi '\-rc' ; then
+    # It is expanded using "${assets[@]}" which preserves the separation of arguments and not split whitespace containing values.
-        releasetype="--prerelease"
+    # For reference, see https://github.com/koalaman/shellcheck/wiki/SC2086#exceptions
+    local assets=()
+    for file in "$RELEASE_DIR"/*; do
+        assets=("${assets[@]}" -a "$file")
+    done
+    if $PRERELEASE || echo "${TAG}" | grep -qi '\-rc'; then
+        releaseType="--prerelease"
         echo "Uploading as Pre-Release"
     else
         echo "Uploading as Stable"
     fi
     ensure_tag
-    anchor=$(echo $TAG | sed -e 's/^v//' -e 's/[^a-zA-Z0-9]/-/g')
+    if ! "$BIN_DIR"/tea release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType} >&"$TMP_DIR"/tea.log; then
-    if ! $BIN_DIR/tea release create $assets --repo $REPO --note "$RELEASENOTES" --tag $TAG --title "$TITLE" --draft ${releasetype} >& $TMP_DIR/tea.log ; then
+        if grep --quiet 'Unknown API Error: 500' "$TMP_DIR"/tea.log && grep --quiet services/release/release.go:194 "$TMP_DIR"/tea.log; then
-        if grep --quiet 'Unknown API Error: 500' $TMP_DIR/tea.log && grep --quiet services/release/release.go:194 $TMP_DIR/tea.log ; then
             echo "workaround v1.20 race condition https://codeberg.org/forgejo/forgejo/issues/1370"
             sleep 10
-            $BIN_DIR/tea release create $assets --repo $REPO --note "$RELEASENOTES" --tag $TAG --title "$TITLE" --draft ${releasetype}
+            "$BIN_DIR"/tea release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType}
         else
-            cat $TMP_DIR/tea.log
+            cat "$TMP_DIR"/tea.log
             return 1
         fi
     fi
@@ -69,61 +106,63 @@ upload_release() {
 release_draft() {
     local state="$1"
 
-    local id=$(api GET repos/$REPO/releases/tags/$TAG | jq --raw-output .id)
+    local id=$(api GET repos/$REPO/releases/tags/"$TAG" | jq --raw-output .id)
 
-    api PATCH repos/$REPO/releases/$id --data-raw '{"draft": '$state', "hide_archive_links": '$HIDE_ARCHIVE_LINK'}'
+    api PATCH repos/$REPO/releases/"$id" --data-raw '{"draft": '"$state"', "hide_archive_links": '$HIDE_ARCHIVE_LINK'}'
 }
 
 maybe_use_release_note_assistant() {
     if "$RELEASE_NOTES_ASSISTANT"; then
         curl --fail -s -S -o rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/v1.2.3/release-notes-assistant
         chmod +x ./rna
-        ./rna --storage release --storage-location $TAG --forgejo-url $SCHEME://placeholder:$TOKEN@$HOST --repository $REPO --token $TOKEN release $TAG
+        ./rna --storage release --storage-location "$TAG" --forgejo-url "$SCHEME"://placeholder:"$TOKEN"@"$HOST" --repository $REPO --token "$TOKEN" release "$TAG"
     fi
 }
 
 sign_release() {
     local passphrase
     if test -s "$GPG_PASSPHRASE"; then
-	passphrase="--passphrase-file $GPG_PASSPHRASE"
+        passphrase="--passphrase-file $GPG_PASSPHRASE"
     fi
     gpg --import --no-tty --pinentry-mode loopback $passphrase "$GPG_PRIVATE_KEY"
-    for asset in $RELEASE_DIR/* ; do
+    for asset in "$RELEASE_DIR"/*; do
-	if [[ $asset =~ .sha256$ ]] ; then
+        if [[ $asset =~ .sha256$ ]]; then
-	    continue
+            continue
-	fi
+        fi
-	gpg --armor --detach-sign --no-tty --pinentry-mode loopback $passphrase < $asset > $asset.asc
+        gpg --armor --detach-sign --no-tty --pinentry-mode loopback $passphrase <"$asset" >"$asset".asc
     done
 }
 
 maybe_sign_release() {
     if test -s "$GPG_PRIVATE_KEY"; then
-	sign_release
+        sign_release
     fi
 }
 
 maybe_override() {
     if test "$OVERRIDE" = "false"; then
-	return
+        return
+    fi
+    api DELETE repos/$REPO/releases/tags/"$TAG" >&/dev/null || true
+    if get_tag && ! matched_tag; then
+        delete_tag
     fi
-    api DELETE repos/$REPO/releases/tags/$TAG >& /dev/null || true
-    api DELETE repos/$REPO/tags/$TAG >& /dev/null || true
 }
 
 upload() {
     setup_api
     setup_tea
     rm -f ~/.config/tea/config.yml
-    GITEA_SERVER_TOKEN=$TOKEN $BIN_DIR/tea login add --url $FORGEJO
+    GITEA_SERVER_TOKEN=$TOKEN "$BIN_DIR"/tea login add --url $FORGEJO
     maybe_sign_release
     maybe_override
     upload_release
 }
 
 setup_api() {
-    if ! which jq curl ; then
+    if ! which jq curl; then
-	apt-get -qq update
+        apt-get -qq update
-	apt-get install -y -qq jq curl
+        apt-get install -y -qq jq curl
     fi
 }
 
@@ -133,46 +172,46 @@ api() {
     path=$1
     shift
 
-    curl --fail -X $method -sS -H "Content-Type: application/json" -H "Authorization: token $TOKEN" "$@" $FORGEJO/api/v1/$path
+    curl --fail -X "$method" -sS -H "Content-Type: application/json" -H "Authorization: token $TOKEN" "$@" $FORGEJO/api/v1/"$path"
 }
 
 wait_release() {
     local ready=false
     for i in $(seq $RETRY); do
-	if api GET repos/$REPO/releases/tags/$TAG | jq --raw-output .draft > $TMP_DIR/draft; then
+        if api GET repos/$REPO/releases/tags/"$TAG" | jq --raw-output .draft >"$TMP_DIR"/draft; then
-	    if test "$(cat $TMP_DIR/draft)" = "false"; then
+            if test "$(cat "$TMP_DIR"/draft)" = "false"; then
-		ready=true
+                ready=true
-		break
+                break
-	    fi
+            fi
-	    echo "release $TAG is still a draft"
+            echo "release $TAG is still a draft"
-	else
+        else
-	    echo "release $TAG does not exist yet"
+            echo "release $TAG does not exist yet"
-	fi
+        fi
-	echo "waiting $DELAY seconds"
+        echo "waiting $DELAY seconds"
-	sleep $DELAY
+        sleep $DELAY
     done
-    if ! $ready ; then
+    if ! $ready; then
-	echo "no release for $TAG"
+        echo "no release for $TAG"
-	return 1
+        return 1
     fi
 }
 
 download() {
     setup_api
     (
-	mkdir -p $RELEASE_DIR
+        mkdir -p $RELEASE_DIR
-	cd $RELEASE_DIR
+        cd $RELEASE_DIR
-    if [[ ${DOWNLOAD_LATEST} == "true" ]] ; then
+        if [[ ${DOWNLOAD_LATEST} == "true" ]]; then
-        echo "Downloading the latest release"
+            echo "Downloading the latest release"
-        api GET repos/$REPO/releases/latest > $TMP_DIR/assets.json
+            api GET repos/$REPO/releases/latest >"$TMP_DIR"/assets.json
-    elif [[ ${DOWNLOAD_LATEST} == "false" ]] ; then
+        elif [[ ${DOWNLOAD_LATEST} == "false" ]]; then
-        wait_release
+            wait_release
-        echo "Downloading tagged release ${TAG}"
+            echo "Downloading tagged release ${TAG}"
-	    api GET repos/$REPO/releases/tags/$TAG > $TMP_DIR/assets.json
+            api GET repos/$REPO/releases/tags/"$TAG" >"$TMP_DIR"/assets.json
-    fi
+        fi
-	jq --raw-output '.assets[] | "\(.name) \(.browser_download_url)"' < $TMP_DIR/assets.json | while read name url ; do
+        jq --raw-output '.assets[] | "\(.browser_download_url) \(.name)"' <"$TMP_DIR"/assets.json | while read url name; do # `name` may contain whitespace, therefore, it must be last
-	    curl --fail -H "Authorization: token $TOKEN" -o $name -L $url
+            curl --fail -H "Authorization: token $TOKEN" -o "$name" -L "$url"
-	done
+        done
     )
 }
 

renovate.json

@@ -1,6 +1,18 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
+    "extends": ["local>actions/renovate-config"],
-    "local>actions/renovate-config"
+    "customManagers": [
-  ]
+        {
+            "customType": "regex",
+            "description": "update example in README.md",
+            "fileMatch": ["^README.md$"],
+            "matchStrings": [
+                "uses: actions/forgejo-release@(?<currentValue>v\\d+\\.\\d+\\.\\d+)"
+            ],
+            "datasourceTemplate": "gitea-tags",
+            "depNameTemplate": "actions/forgejo-release",
+            "versioningTemplate": "semver",
+            "registryUrlTemplate": "https://code.forgejo.org"
+        }
+    ]
 }

testdata/forgejo-release-test.sh

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: MIT
 
 set -ex
+PS4='${BASH_SOURCE[0]}:$LINENO: ${FUNCNAME[0]}:  '
 
 test_teardown() {
     setup_api
@@ -38,24 +39,37 @@ test_wait_release() {
     ! wait_release
 }
 
+test_create_delete_tag() {
+    delete_tag
+
+    ! get_tag
+    create_tag
+    get_tag
+    delete_tag
+    ! get_tag
+}
+
 test_ensure_tag() {
-    api DELETE repos/$REPO/tags/$TAG || true
+    delete_tag
     #
     # idempotent
     #
     ensure_tag
-    api GET repos/$REPO/tags/$TAG > $TMP_DIR/tag1.json
+    mv $TAG_FILE $TMP_DIR/tag1.json
+
     ensure_tag
-    api GET repos/$REPO/tags/$TAG > $TMP_DIR/tag2.json
+    mv $TAG_FILE $TMP_DIR/tag2.json
+
     diff -u $TMP_DIR/tag[12].json
     #
     # sanity check on the SHA of an existing tag
     #
     (
-	SHA=12345
+        SHA=12345
-	! ensure_tag
+        ! matched_tag
+        ! ensure_tag
     )
-    api DELETE repos/$REPO/tags/$TAG
+    delete_tag
 }
 
 test_maybe_sign_release_no_gpg() {
@@ -94,8 +108,8 @@ test_maybe_sign_release_skipped() {
 }
 
 test_maybe_sign_release_verify() {
-    for file in  $RELEASE_DIR/file-one.txt  $RELEASE_DIR/file-two.txt; do
+    for file in $RELEASE_DIR/file-one.txt $RELEASE_DIR/file-two.txt; do
-	gpg --verify $file.asc $file
+        gpg --verify $file.asc $file
     done
 }
 
@@ -129,6 +143,7 @@ test_run() {
     REPO=$user/$project
     test_setup $project
     test_ensure_tag
+    test_create_delete_tag
     DELAY=0
     test_wait_release_fail
     echo "================================ TEST BEGIN"

testdata/nested-upload-download/.forgejo/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - id: forgejo
-        uses: https://code.forgejo.org/actions/setup-forgejo@v1
+        uses: https://code.forgejo.org/actions/setup-forgejo@v2.0.11
         with:
           user: testuser
           password: admin1234

testdata/upload-download/upload-dir/file 3.txt

@@ -0,0 +1 @@
+FILE3