From 3233d65db0d91acee5bf33543dcef90ca0eb7ee8 Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Sat, 28 Mar 2026 13:49:38 -0400
Subject: [PATCH] fix: remove npm cache and fix release notes shell injection

cache: npm caused ~4min ETIMEDOUT on every run (cache service unreachable).

Commit messages containing backticks were shell-expanded inside the
curl -d "..." string, causing 'sha: No such file or directory'. Fixed by
writing release notes to a temp file and using python3 to build the JSON
payload, then passing it to curl with --data @file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 6e08a87..ceebbab 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -20,7 +20,6 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 'lts/*'
-          cache: npm
 
       - run: npm ci
       - run: npm test
@@ -48,12 +47,10 @@ jobs:
         run: |
           LAST_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
           if [ -n "$LAST_TAG" ]; then
-            NOTES=$(git log "${LAST_TAG}..HEAD" --pretty=format:"- %s" --no-merges)
+            git log "${LAST_TAG}..HEAD" --pretty=format:"- %s" --no-merges > /tmp/release_notes.txt
           else
-            NOTES=$(git log --pretty=format:"- %s" --no-merges)
+            git log --pretty=format:"- %s" --no-merges > /tmp/release_notes.txt
           fi
-          NOTES_JSON=$(printf '%s' "$NOTES" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))")
-          echo "NOTES=${NOTES_JSON}" >> $GITEA_ENV
 
       - name: Docker metadata
         id: meta
@@ -82,14 +79,22 @@ jobs:
 
       - name: Create Gitea release
         run: |
+          python3 -c "
+import json, os
+notes = open('/tmp/release_notes.txt').read()
+version = os.environ['VERSION']
+image = os.environ['IMAGE']
+payload = {
+    'tag_name': 'v' + version,
+    'name': 'Catalyst v' + version,
+    'body': '### Changes\n\n' + notes + '\n\n### Image\n\n\`' + image + ':' + version + '\`',
+    'draft': False,
+    'prerelease': False,
+}
+print(json.dumps(payload))
+" > /tmp/release_body.json
           curl -sf -X POST \
             -H "Authorization: token ${{ secrets.TOKEN }}" \
             -H "Content-Type: application/json" \
             "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/releases" \
-            -d "{
-              \"tag_name\": \"v${{ env.VERSION }}\",
-              \"name\": \"Catalyst v${{ env.VERSION }}\",
-              \"body\": \"### Changes\n\n${{ env.NOTES }}\n\n### Image\n\n\`${{ env.IMAGE }}:${{ env.VERSION }}\`\",
-              \"draft\": false,
-              \"prerelease\": false
-            }"
+            --data @/tmp/release_body.json
-- 
2.39.5