How to upload a file to a GitHub release in a workflow

Background

I built a little CLI utility for converting RSS/Atom feeds to Markdown files called FeedMD. I wanted to create a workflow that builds FeedMD for each of the supported platforms and then uploads the compiled binaries to the release I just created like this.

The research

My superpower isn’t remembering everything off the top of my head so the first thing I did was to search for the details on how to do this using ’that big search engine that shall not be named’. And oh my gosh, I came across so many third party actions.

Honestly I was expecting some more GitHub CLI, I only found one reference buried in a StackOverflow answer. Third party actions have their place, but they’re not for doing routine work - they’re a lot to use securely. You’ll need to fork, code review, and actively keep your fork up to date etc…

The approach I took

I just used the GitHub CLI. I try to avoid pulling in actions from the marketplace if practical, especially is it’s for something simple supported by GitHub CLI. GitHub CLI is pre-installed on all GitHub runners and allow you to run any GitHub CLI command. Including gh release upload <tag> <files>... which uploads files to a release with a specifc tag. Perfect.

Here’s the important parts of the deployment file

# Trigger this workflow on release
on:
  release:
    types: [published]

# Make sure the GITHUB_TOKEN has permission to upload to our releases
permissions:
  contents: write

... SOME OTHER STUFF GOES HERE ...

# Build the FeedMD CLI utility, and upload to the release that triggered the workflow 
- name: '📦 Package windows x64'
    run: |
        cd ${{github.workspace}}
        dotnet publish feedmd.csproj -r win-x64 -c Release -o bin/win-x64
        zip -r feedmd-win-x64.zip bin/win-x64 -j
        gh release upload ${{github.event.release.tag_name}} feedmd-win-x64.zip        
    env:
      GITHUB_TOKEN: ${{ github.TOKEN }}
    shell: bash

You can view the full deployment file here.

Summary

Maybe this should have been a blog post about the problems of blindly trusting GitHub Actions in the marketplace. Who knows, at least we know how to simply and safely upload to our GitHub releases now.

Noticed an error or omission? Please look at submitting a pull request.