robinraju / release-downloader Goto Github PK
View Code? Open in Web Editor NEWGithub action to download release assets from private or public repositories
License: MIT License
Github action to download release assets from private or public repositories
License: MIT License
I used release-downloader in our local with this tag: https://github.com/robinraju/release-downloader/commits/v1.8
Let's assume there has two repos
After downloaded, the name of the unzipped folder is different, e.g.
The repo2's folder name just has 7 digits of the whole sha, someone knows the reason?
I hope organization2/repo2
's unzipped folder is organization2-repo2-efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51
rather than organization2-repo2-efa4cd0
Remove original files after extracting archives.
Describe the bug
I tried to use the actions for downloading the release assets based on the following options
In both the cases i get different error regarding the field:
I get Error: [getlatestRelease] Unexpected response: 404 when i use the latest field
If i use the tag instead of latest field then i get the same error for the tag
Error: [getReleaseByTag] Unexpected response: 404
Kindly let me know on how to solve this issue.
Action Environment (please complete the following information):
Is your feature request related to a problem? Please describe.
I have a release asset that contains some . dll files.
When using the "extract: true" option on execution I'm getting
"Error: Malicious entry: Checklist.Serialization.Desktop.resources.dll"
I'm not sure if this happens for any .dll files
Describe the solution you'd like
The node-stream-zip library has an option to skip the file name validation.
https://github.com/antelle/node-stream-zip/blob/master/release-notes.md
Can we have a flag on the action level itself and the unzip command to be executed with the flag skipEntryNameValidation depending on the bool value set as param?
Is your feature request related to a problem? Please describe.
I can only download the latest, the prerelease or a specific release. I would like to download the 2nd and 3rd latest releases, since I can't keep track of the releases / ids. This is because I use the Tauri Action and it takes care of the releases. The download doesn't have to be all at once, the Action could be called multiple times for multiple deltas.
Describe the solution you'd like
Maybe something like latest_delta: int
Where the int is the amount of releases from the latest that you want to download. It would default to 0
Describe alternatives you've considered
Start tracking releases in a different way so I can call the specific release
Is your feature request related to a problem? Please describe.
when using wildcard '*', i want to get exactly file(s) name
Describe the solution you'd like
Add an output variable like downloaded_files to get the filenames that were downloaded.
To access a specific file name, use '${{ fromJson(steps..outputs.downloaded_files)[0] }}'.
Hi@robinraju
I used the release-downloader and get the latest version. The problem and error appearing is: Error: there are no assets found.
The problem is, there are assets. Is there a solution for this?
Note - with version 1.8, it works.
For cross repositories release downloader, if I don't want to use PAT, can I use github app token instead?
like this:
- name: Generate token
id: generate_token
uses: tibdex/github-app-token@v1
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Download release tar
uses: robinraju/[email protected]
with:
repository: "XX/XX"
latest: true
fileName: "AAA"
out-file-path: "xxx"
token: ${{steps.generate_token.outputs.token}}
I tried, but failed.
Describe the bug
The extract option in 1.9 version seems to be broken. I have a release zip artifact which contains contents as:
artifact.zip
|__ conf (directory)
|__ dags (directory)
|__ requirements.txt (file)
When 1.9 version does extraction, it somehow extracts only as:
artifact.zip
|__ dags (directory)
missing both the conf and requirements.txt.
1.8 version seemed to work and extract fine. I came to know when my deployment pipeline started to fail after bumping the download action to 1.9. Now reverted it back to 1.8 and works fine.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
the extraction in 1.9 version should behave the same as 1.8 i.e., the zip extraction should extract the contents correctly
Action Environment (please complete the following information):
Dear @robinraju , i was trying to use this action, seeing 401 error always. Any clue?
Describe the bug
As of this morning, all downloads using this action are giving a 400
eg
Fetching latest release for repo RentTheRunway/<repo>
Downloading file: <tool>-linux-amd64.tar.gz to: /runner/_work/<runner>
Error: Unexpected response: 400
Curious if anyone else just started seeing this? Maybe the API changed today?
To Reproduce
Steps to reproduce the behavior:
Expected behavior
It should successfully download the artifact
Action Environment (please complete the following information):
Additional context
I'm running with the following
- uses: robinraju/[email protected]
with:
repository: "RentTheRunway/<repo>"
latest: true
fileName: "<file>-linux-amd64.tar.gz"
token: ${{ secrets.ACCESS_TOKEN_GITHUB }}
Is your feature request related to a problem? Please describe.
I am not sure how to allow download of the latest prerelease.
Describe the solution you'd like
I would like a flag that allows me to include prereleases in the list of releases to pull from.
Describe alternatives you've considered
None
Describe the bug
After upgrading from version 1.8 to 1.9, we ran into an issue where the translations were no longer working correctly inside of our application. (They are built on a separate repo and then downloaded when building the main app)
The hash of the file I am checking when downloaded (and extracted) through v1.8 is 03BFCE70E15EDC39B775E673B5E03FB2F71DAC16A216C4AB5A3803D8F36CE11E
.
When using the same config and using v 1.9, the resulting hash is 0BB2FCC4A185967658AE3D3172E80CC713212659BB59DD8884EF193E336F238C
.
To Reproduce
Steps to reproduce the behavior:
.mo
files as those are what we are having issues with.I really don't understand where this issue could be coming from, but it's certainly causing us issues
At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.
Below you can see the KB of your GITHUB Action.
name: "release-downloader"
github-token:
action-input:
input: token
is-default: false
permissions:
contents: read
contents-reason: to download release from private repo #Checkout: https://github.com/robinraju/release-downloader#usage
#Fixes #624
If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.
This issue is automatically created by our analysis bot, feel free to close after reading :)
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.
I am in the process of hardening the security in our organization for our actions. After forking the repository and creating a tag for the latest (v1.10), the following error is displayed
Error: Client network socket disconnected before secure TLS connection was established
I was using v1.4 tag earlier which does not display this issue
To Reproduce Steps to reproduce the behavior:
Create a workflow:
jobs:
codesign-binary:
runs-on: windows-latest
steps:
- name: Download Release Asset
uses: robinraju/[email protected]
with:
repository: "organization/repository"
token: ${{ secrets.token }}
latest: true
fileName: "*.zip"
github-api-url: "https://organization.com/api/v3"
Change the v1.10 to v1.4 and the error does not appear
Expected behavior Release asset is downloaded
Thanks for building this action! that was exactly what I needed for some of my projects :)
Is your feature request related to a problem? Please describe.
When running this action on macOS runners, I hit #347 quite a lot of times. Restarting the job a couple of times eventually makes it successfull
Describe the solution you'd like
A way for the action to retry on failure, for example, by specifying a max number of retry attempts and a delay time in between
Describe alternatives you've considered
Additional context
At https://github.com/c3os-io/c3os/ I'm planning to use this action to run upgrade tests from latest releases - but currently this is almost not doable at all for the problem mentioned above
Using [email protected]; if I set both out-file-path
and fileName
, fileName
gets ignored.
Describe the bug
When using release-downloader, the step fails because no asset could be found. The asset was created while creating a tag and also added to the release (see screenshot).
I have two jobs, the first one creates the release, the second one should download the asset to deploy to S3 bucket.
A debug log is attached below.
Am I doing something wrong?
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The attached asset should be downloaded and extracted.
Action Environment (please complete the following information):
Additional context
Debug log:
##[debug]Evaluating condition for step: 'Getting asset ๐ฆ'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Getting asset ๐ฆ
##[debug]Loading inputs
##[debug]Evaluating: github.ref_name
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'ref_name'
##[debug]=> 'v3.1.9'
##[debug]Result: 'v3.1.9'
##[debug]Evaluating: secrets.GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: github.repository
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'repository'
##[debug]=> 'milhouse-solutions/apothekia-frontend'
##[debug]Result: 'milhouse-solutions/apothekia-frontend'
##[debug]Loading env
Run robinraju/[email protected]
with:
tag: v3.1.9
tarBall: true
extract: true
token: ***
repository: milhouse-solutions/apothekia-frontend
latest: false
preRelease: false
fileName: *
zipBall: false
out-file-path: .
github-api-url: https://api.github.com/
Fetching release v3.1.9 from repo milhouse-solutions/apothekia-frontend
Found release tag: v3.1.9
Error: No assets found in release v3.1.9
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Getting asset ๐ฆ
My jobs config:
jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: ${{ inputs.environment || 'staging' }}
steps:
- name: Checking out code
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Getting asset ๐ฆ
uses: robinraju/[email protected]
with:
tag: ${{ github.ref_name }}
tarBall: true
extract: true
token: ${{ secrets.GITHUB_TOKEN }}
Describe the bug
macos-11 only, Error: [getlatestRelease] Unexpected response: 403 when downloading source code from numpy/numpy.
To Reproduce
jobs:
macos-cp39:
runs-on: macos-11
steps:
- name: Setup Python
uses: actions/[email protected]
with:
python-version: 3.9
architecture: x64
- uses: robinraju/[email protected]
name: Download latest numpy source
with:
repository: "numpy/numpy"
latest: true
zipBall: true
out-file-path: "downloads"
No issue in linux-latest so far.
Github action link: https://github.com/noonchen/STDF-Viewer/runs/4549369806?check_suite_focus=true
Any suggestions what happened? It works pretty fine before.
Problem:
Many GH Release publish multiple assets. Most of the time these assets are not directly usable because they are packages in an archive. A good example is the prometheus repo where every asset is a tar.gz
or zip
archive.
To use the executables in the archive users must use or even install additional platform dependent tools to extract these. In GH Action this is a substantial overhad with at least one additional step in each workflow.
Solution:
I would like the option to automatically extract all archives while using this action. This action is based on NodeJS and has the power to extract files without handling platform specific requirements.
The alternative would be to use at least one or more additional steps to setup tar
, gzip
or a windows alternative for zip
to extract files.
I will provide a reference implementation as soon as possible
Describe the bug
As above.
To Reproduce
Run the action on enterprise server - it will continue to target github.com and 404 (or 401 ) depending on the path. Worst case scenario is it downloads packages from github.com that could be malicious.
Expected behavior
Read from github enviroment the correct API server.
Screenshots
NA
Action Environment (please complete the following information):
Additional context
Add any other context about the problem here.
Is your feature request related to a problem? Please describe.
You currently have tag_name
and downloaded_files
as options, but there could be more.
Describe the solution you'd like
version_name
Describe alternatives you've considered
N/A
Additional context
For example, in your case it would output "Release Downloader v1.8" instead of "v1.8".
https://github.com/robinraju/release-downloader/releases/tag/v1.8
Is your feature request related to a problem? Please describe.
I have a workflow that outputs a release ID and for higher precision I'd like to use this instead of the tag to identify a release
Describe the solution you'd like
An input for release ID
Describe alternatives you've considered
I can just pass the tag
Additional context
I can probably PR this but haven't looked at the code yet.
Describe the bug No assets found in release.
To Reproduce
I have the following action in a private repository:
name: Release Creation
on:
release:
types: [published]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Download release asset file
id: release_data
uses: robinraju/[email protected]
with:
token: ${{ secrets.MY_TOKEN }} # Attempted with default (nothing), explicitly using GITHUB_TOKEN, and my own token.
latest: true
zipBall: true
Expected behavior
The tarball zip being downloaded.
When choosing the "latest" tag I find myself wanting to know which tag name it is using.
I would like to be able to refer to the outputs of this action to use in another step in the same workflow to create logs and upload release artifacts.
I could use another action like actions/create-release but I think having the information available in this action would be more reliable.
Some create-release actions output basic reusable properties such as
Output name | Description |
---|---|
id | The identifier of the created release. |
html_url | The HTML URL of the release. |
upload_url | The URL for uploading assets to the release. |
Is your feature request related to a problem? Please describe.
We want to be able to use a wildcard aka "*.deb" to download all assets with that file extension.
Describe the solution you'd like
Support for fileName: "*.deb"
Describe alternatives you've considered
Download all files with fileName: "*"
Additional context
Seems like it would be implemented right here:
release-downloader/src/download.ts
Line 135 in 2dd2f66
Describe the bug
When run, the following warning is received. Would you make the suggested change? Thanks!
"The set-output
command is deprecated and will be disabled soon. Please upgrade to using Environment Files."
To Reproduce
Steps to reproduce the behavior:
Expected behavior
No warning.
Screenshots
Action Environment (please complete the following information):
Additional context
Hi
would you please add a option to extract tar.xz
files?
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Action Environment (please complete the following information):
Additional context
Add any other context about the problem here.
Describe the bug
We had an example where downloading the release didn't download any files but the action thought everything was sweet
To Reproduce
Can't repro - likely issue with GH API or some kind of eventual consistency/race condition
Expected behaviour
If downloading a release and no files are found in the release throw an exception
Additional context
It looks like we could tweak the handling of release downloads to warn/throw if a release is found but no files are found in it.
Happy to take a look at doing a PR if that would help - thinking we could tweak the if statement here
Describe the bug
Hi there, and thanks for the great Action. We're using it to install one of our internal tools by downloading the binary asset from the latest release. Sometimes the CI/CD for that tool fails such that the release exists, but the asset we're looking for doesn't.
In such a case, release-downloader
succeeds, and we fail in more confusing ways later. I think release-downloader
should fail if it can't find the requested asset -- which would be much clearer for us.
To Reproduce
Steps to reproduce the behavior:
Have a project with a Release but no asset named x86_64-linux.tar.gz
Run this action with,
with:
repository: that/project
latest: true
fileName: x-x86_64-linux.tar.gz
token: ***
tarBall: false
zipBall: false
out-file-path: .
Expected behavior
A clear error, something like:
Asset
x-x86_64-linux.tar.gz
does not exist on latest Release ({release name})
Screenshots
Action Environment (please complete the following information):
ubuntu-latest
Additional context
Add any other context about the problem here.
Describe the bug
I have a monorepo and just added another workflow for a different app. I made sure to tag its releases as ai-annotator-release.tar.gz
.
To Reproduce
This are the two steps in question. The first one only runs when input is not latest
and it works. The second one is copy pasted and does not work. In another action the same thing does work and the only difference I can see is that:
fileName: "ai-annotator-release.tar.gz
steps:
# THIS STEP WORKS
- name: Download specific release
if: "${{ github.event.inputs.version != 'latest' }}"
uses: robinraju/[email protected]
with:
repository: ${{ github.repository }}
fileName: "ai-annotator-release.tar.gz"
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ github.event.inputs.version }}
- name: Download latest release
# THIS STEP FAILS
if: "${{ github.event.inputs.version == 'latest' }}"
uses: robinraju/[email protected]
with:
repository: ${{ github.repository }}
fileName: "ai-annotator-release.tar.gz"
token: ${{ secrets.GITHUB_TOKEN }}
latest: true
Expected behavior
It should
Action Environment (please complete the following information):
Additional context
I'm not sure this is actually a bug or if I'm doing something wrong.
Is your feature request related to a problem? Please describe.
Hi. Thanks for sharing this Action. It does exactly what I need.
I'm fetching the "latest" release for my project and it would be nice to know exactly which release was fetched. When debugging a run, it is not always clear which release was the "latest" release at the time of the run.
Describe the solution you'd like
Something like:
Run robinraju/[email protected]
with:
repository: rfdonnelly/scma-gcal-sync
latest: true
fileName: scma-gcal-sync
tarBall: false
zipBall: false
out-file-path: .
Fetching latest release for repo rfdonnelly/scma-gcal-sync
Downloading file: scma-gcal-sync to: /home/runner/work/scma-gcal-sync/scma-gcal-sync
+Downloaded release v1.2.0
Done: /home/runner/work/scma-gcal-sync/scma-gcal-sync/scma-gcal-sync
Describe alternatives you've considered
I've considered manually printing the version information of the downloaded release (e.g. program --version
) but details of how to implement this would be different for every project and it may not match the GitHub release. The GitHub release information is more authoritative.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.