ci: enhance GitHub release workflow with token handling and file upload improvements

.github/workflows/github-release.yml

@@ -2,12 +2,19 @@ name: GitHub Release
 
 on:
   workflow_call:
+    secrets:
+      GITHUB_TOKEN:
+        description: 'GitHub token for release creation'
+        required: true
+
+permissions:
+  contents: write
 
 jobs:
   create-release:
     runs-on: ubuntu-latest
-    #permissions:
+    permissions:
-    #  contents: write
+      contents: write
     steps:
     - uses: actions/checkout@v4
     
@@ -97,35 +104,40 @@ jobs:
 
     - name: Create GitHub Release
       env:
-        GH_TOKEN: ${{ github.token }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         VERSION=${{ steps.get_version.outputs.VERSION }}
-        
-        # Create release with available files
         cd .pio/build/esp32dev
-        FILES_TO_UPLOAD=""
         
-        # Always add firmware
+        # Create the release first
-        if [ -f "filaman_${VERSION}.bin" ]; then
+        RELEASE_JSON=$(curl -L \
-          FILES_TO_UPLOAD="$FILES_TO_UPLOAD filaman_${VERSION}.bin"
+          -X POST \
-        fi
+          -H "Accept: application/vnd.github+json" \
+          -H "Authorization: Bearer $GITHUB_TOKEN" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          "https://api.github.com/repos/$GITHUB_REPOSITORY/releases" \
+          -d "{
+            \"tag_name\":\"v${VERSION}\",
+            \"name\":\"Release ${VERSION}\",
+            \"body\":\"${{ steps.changelog.outputs.CHANGES }}\",
+            \"draft\":false,
+            \"prerelease\":false
+          }")
         
-        # Add SPIFFS and full binary only if they exist
+        # Extract the upload URL from the response
-        if [ -f "webpage_${VERSION}.bin" ]; then
+        UPLOAD_URL=$(echo "$RELEASE_JSON" | jq -r .upload_url | sed 's/{?name,label}//')
-          FILES_TO_UPLOAD="$FILES_TO_UPLOAD webpage_${VERSION}.bin"
-        fi
         
-        if [ -f "filaman_full_${VERSION}.bin" ]; then
+        # Upload the binary files
-          FILES_TO_UPLOAD="$FILES_TO_UPLOAD filaman_full_${VERSION}.bin"
+        for file in filaman_${VERSION}.bin webpage_${VERSION}.bin filaman_full_${VERSION}.bin; do
-        fi
+          if [ -f "$file" ]; then
-        
+            echo "Uploading $file..."
-        # Create release with available files
+            curl -L \
-        if [ -n "$FILES_TO_UPLOAD" ]; then
+              -X POST \
-          gh release create "v${VERSION}" \
+              -H "Accept: application/vnd.github+json" \
-            --title "Release ${VERSION}" \
+              -H "Authorization: Bearer $GITHUB_TOKEN" \
-            --notes "${{ steps.changelog.outputs.CHANGES }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
-            $FILES_TO_UPLOAD
+              -H "Content-Type: application/octet-stream" \
-        else
+              "${UPLOAD_URL}?name=${file}" \
-          echo "Error: No files found to upload"
+              --data-binary "@${file}"
-          exit 1
           fi
+        done

.github/workflows/release.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: write
+
 jobs:
   detect-provider:
     runs-on: ubuntu-latest
@@ -23,8 +26,12 @@ jobs:
 
   github-release:
     needs: detect-provider
+    permissions:
+      contents: write
     if: needs.detect-provider.outputs.provider == 'github'
     uses: ./.github/workflows/github-release.yml
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   gitea-release:
     needs: detect-provider