Merge pull request 'fix(ci): use Gitea file API to push CHANGELOG.md' (#40 ) from fix/changelog-push into master

Reviewed-on: #40
fix(ci): harden CHANGELOG.md API push step per review
2026-04-13 03:18:10 +00:00 · 2026-04-12 22:13:25 -05:00 · 2026-04-12 22:06:21 -05:00
1 changed files with 37 additions and 8 deletions
--- a/.gitea/workflows/auto-tag.yml
+++ b/.gitea/workflows/auto-tag.yml
@ -134,15 +134,44 @@ jobs:
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
-          set -eu
+          set -euo pipefail
-          git add CHANGELOG.md
+          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
-          if git diff --staged --quiet; then
+          TAG=$(git describe --tags --abbrev=0)
-            echo "No changelog changes"
+          # Validate tag format to prevent shell injection in commit message / JSON
-          else
+          if ! echo "$TAG" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
-            TAG=$(git describe --tags --abbrev=0)
+            echo "ERROR: Unexpected tag format: $TAG"
-            git commit -m "chore: update CHANGELOG.md for ${TAG} [skip ci]"
+            exit 1
            git push origin HEAD:master
          fi
          # Fetch current blob SHA from master; empty if file doesn't exist yet
          CURRENT_SHA=$(curl -sf \
            -H "Accept: application/json" \
            -H "Authorization: token $RELEASE_TOKEN" \
            "$API/contents/CHANGELOG.md?ref=master" 2>/dev/null \
            | jq -r '.sha // empty' 2>/dev/null || true)
          # Base64-encode content (no line wrapping)
          CONTENT=$(base64 -w 0 CHANGELOG.md)
          # Build JSON payload — omit "sha" when file doesn't exist yet (new repo)
          PAYLOAD=$(jq -n \
            --arg msg  "chore: update CHANGELOG.md for ${TAG} [skip ci]" \
            --arg body "$CONTENT" \
            --arg sha  "$CURRENT_SHA" \
            'if $sha == ""
             then {message: $msg, content: $body, branch: "master"}
             else {message: $msg, content: $body, sha: $sha, branch: "master"}
             end')
          # PUT atomically updates (or creates) the file on master — no fast-forward needed
          RESP_FILE=$(mktemp)
          HTTP_CODE=$(curl -s -o "$RESP_FILE" -w "%{http_code}" -X PUT \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -d "$PAYLOAD" \
            "$API/contents/CHANGELOG.md")
          if [ "$HTTP_CODE" -lt 200 ] || [ "$HTTP_CODE" -ge 300 ]; then
            echo "ERROR: Failed to update CHANGELOG.md (HTTP $HTTP_CODE)"
            cat "$RESP_FILE" >&2
            exit 1
          fi
          echo "✓ CHANGELOG.md committed to master"
      - name: Upload CHANGELOG.md as release asset
        env:
Author	SHA1	Message	Date
sarman	f7011c8837	Merge pull request 'fix(ci): use Gitea file API to push CHANGELOG.md' (#40 ) from fix/changelog-push into master Some checks failed Auto Tag / autotag (push) Successful in 7s Details Auto Tag / wiki-sync (push) Successful in 5s Details Auto Tag / changelog (push) Successful in 53s Details Auto Tag / build-linux-arm64 (push) Successful in 14m55s Details Auto Tag / build-windows-amd64 (push) Successful in 15m35s Details Auto Tag / build-macos-arm64 (push) Successful in 10m26s Details Auto Tag / build-linux-amd64 (push) Failing after 7m50s Details Reviewed-on: #40	2026-04-13 03:18:10 +00:00
Shaun Arman	f74238a65a	fix(ci): harden CHANGELOG.md API push step per review All checks were successful Test / rust-fmt-check (pull_request) Successful in 26s Details Test / frontend-typecheck (pull_request) Successful in 1m37s Details Test / frontend-tests (pull_request) Successful in 1m25s Details PR Review Automation / review (pull_request) Successful in 3m54s Details Test / rust-clippy (pull_request) Successful in 4m25s Details Test / rust-tests (pull_request) Successful in 5m47s Details - set -euo pipefail (was -eu; pipefail catches silent pipe failures) - Validate TAG against ^v[0-9]+\.[0-9]+\.[0-9]+$ before use in commit message and JSON payload — prevents shell injection - Tolerate 404 on SHA fetch (new file): curl 2>/dev/null or true keeps CURRENT_SHA empty rather than causing jq to abort - Use jq -n to build JSON payload — conditionally omits sha field when file does not exist yet; eliminates manual string escaping - Check HTTP status of PUT; print response body and exit 1 on non-2xx - Add Accept: application/json header to SHA fetch request	2026-04-12 22:13:25 -05:00
Shaun Arman	2da529fb75	fix(ci): use Gitea file API to push CHANGELOG.md — eliminates non-fast-forward rejection All checks were successful Test / rust-fmt-check (pull_request) Successful in 14s Details PR Review Automation / review (pull_request) Successful in 2m57s Details Test / frontend-typecheck (pull_request) Successful in 1m15s Details Test / frontend-tests (pull_request) Successful in 1m18s Details Test / rust-clippy (pull_request) Successful in 5m34s Details Test / rust-tests (pull_request) Successful in 6m52s Details git push origin HEAD:master fails when master advances between the job's fetch and its push. Replace with PUT /repos/.../contents/CHANGELOG.md which atomically updates the file on master regardless of HEAD position.	2026-04-12 22:06:21 -05:00