ci: generate github release notes separately from creating github release

bluetech · bluetech · commit 9545c6a26f53 · 2025-11-03T23:19:11.000+02:00
Since creating the github release is security sensitive, better to
isolate the part of generating the markdown release notes in its own
job, such that if e.g. pip/tox/pandoc is compromised it could not in
turn compromise the release files.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -69,28 +69,18 @@ jobs:
         git tag --annotate --message=v"$VERSION" "$VERSION" ${{ github.sha }}
         git push origin "$VERSION"
 
-  release-notes:
-
-    # todo: generate the content in the build  job
-    #       the goal being of using a github action script to push the release data
-    #       after success instead of creating a complete python/tox env
-    needs: [deploy]
+  generate-gh-release-notes:
+    needs: [package]
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
-      contents: write
+      contents: read
     steps:
     - uses: actions/checkout@v5
       with:
         fetch-depth: 0
         persist-credentials: false
 
-    - name: Download Package
-      uses: actions/download-artifact@v6
-      with:
-        name: Packages
-        path: dist
-
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
@@ -106,11 +96,37 @@ jobs:
         VERSION: ${{ github.event.inputs.version }}
       run: |
         sudo apt-get install pandoc
-        tox -e generate-gh-release-notes -- "$VERSION" scripts/latest-release-notes.md
+        tox -e generate-gh-release-notes -- "$VERSION" gh-release-notes.md
+
+    - name: Upload release notes
+      uses: actions/upload-artifact@v4
+      with:
+        name: release-notes
+        path: gh-release-notes.md
+        retention-days: 1
+
+  create-github-release:
+    needs: [generate-gh-release-notes, deploy]
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+    - name: Download Package
+      uses: actions/download-artifact@v6
+      with:
+        name: Packages
+        path: dist
+
+    - name: Download release notes
+      uses: actions/download-artifact@v6
+      with:
+        name: release-notes
+        path: .
 
     - name: Publish GitHub Release
       env:
         VERSION: ${{ github.event.inputs.version }}
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        gh release create --notes-file scripts/latest-release-notes.md --verify-tag "$VERSION" dist/*
+        gh release create --notes-file gh-release-notes.md --verify-tag "$VERSION" dist/*
