How to upload a file to a GitHub release in a workflow

Background

I built a little CLI utility for converting RSS/Atom feeds to Markdown files called FeedMD. I wanted to create a workflow that builds FeedMD for each of the supported platforms and then uploads the compiled binaries to the release I just created like this.

The research

My superpower isn’t remembering everything off the top of my head so the first thing I did was to search for the details on how to do this using ’that big search engine that shall not be named’. And oh my gosh, I came across so many third party actions.

• Upload To Github Release
• Upload files to a GitHub release
• GH Release
• upload file on release
• upload-release-asset (Obsolete)

Honestly I was expecting some more GitHub CLI, I only found one reference buried in a StackOverflow answer. Third party actions have their place, but they’re not for doing routine work - they’re a lot to use securely. You’ll need to fork, code review, and actively keep your fork up to date etc…

The approach I took

I just used the GitHub CLI. I try to avoid pulling in actions from the marketplace if practical, especially is it’s for something simple supported by GitHub CLI. GitHub CLI is pre-installed on all GitHub runners and allow you to run any GitHub CLI command. Including gh release upload <tag> <files>... which uploads files to a release with a specifc tag. Perfect.

Here’s the important parts of the deployment file

# Trigger this workflow on release
on:
  release:
    types: [published]

# Make sure the GITHUB_TOKEN has permission to upload to our releases
permissions:
  contents: write

... SOME OTHER STUFF GOES HERE ...

# Build the FeedMD CLI utility, and upload to the release that triggered the workflow 
- name: '📦 Package windows x64'
    run: |
        cd ${{github.workspace}}
        dotnet publish feedmd.csproj -r win-x64 -c Release -o bin/win-x64
        zip -r feedmd-win-x64.zip bin/win-x64 -j
        gh release upload ${{github.event.release.tag_name}} feedmd-win-x64.zip        
    env:
      GITHUB_TOKEN: ${{ github.TOKEN }}
    shell: bash

You can view the full deployment file here.

Summary

Maybe this should have been a blog post about the problems of blindly trusting GitHub Actions in the marketplace. Who knows, at least we know how to simply and safely upload to our GitHub releases now.