Is your feature request related to a problem? Please describe.

Hi. Thanks for sharing this Action. It does exactly what I need.

I'm fetching the "latest" release for my project and it would be nice to know exactly which release was fetched. When debugging a run, it is not always clear which release was the "latest" release at the time of the run.

Describe the solution you'd like

Something like:

 Run robinraju/[email protected]
   with:
     repository: rfdonnelly/scma-gcal-sync
     latest: true
     fileName: scma-gcal-sync
     tarBall: false
     zipBall: false
     out-file-path: .
 Fetching latest release for repo rfdonnelly/scma-gcal-sync
 Downloading file: scma-gcal-sync to: /home/runner/work/scma-gcal-sync/scma-gcal-sync
+Downloaded release v1.2.0
 Done: /home/runner/work/scma-gcal-sync/scma-gcal-sync/scma-gcal-sync

Describe alternatives you've considered

I've considered manually printing the version information of the downloaded release (e.g. program --version) but details of how to implement this would be different for every project and it may not match the GitHub release. The GitHub release information is more authoritative.

Is your feature request related to a problem? Please describe.
I can only download the latest, the prerelease or a specific release. I would like to download the 2nd and 3rd latest releases, since I can't keep track of the releases / ids. This is because I use the Tauri Action and it takes care of the releases. The download doesn't have to be all at once, the Action could be called multiple times for multiple deltas.

Describe the solution you'd like
Maybe something like latest_delta: int
Where the int is the amount of releases from the latest that you want to download. It would default to 0

Describe alternatives you've considered
Start tracking releases in a different way so I can call the specific release

Describe the bug
I tried to use the actions for downloading the release assets based on the following options

1. latest field by setting it to true and removing other fields like Tag
2. setting latest field to false and assigning a Tag version

In both the cases i get different error regarding the field:
I get Error: [getlatestRelease] Unexpected response: 404 when i use the latest field

If i use the tag instead of latest field then i get the same error for the tag
Error: [getReleaseByTag] Unexpected response: 404
Kindly let me know on how to solve this issue.

Action Environment (please complete the following information):

• OS: [ubuntu-latest]

Describe the bug
When run, the following warning is received. Would you make the suggested change? Thanks!
"The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files."

To Reproduce
Steps to reproduce the behavior:

1. Run the action

Expected behavior
No warning.

Screenshots

Action Environment (please complete the following information):

• OS: linux

Additional context

Thanks for building this action! that was exactly what I needed for some of my projects :)

Is your feature request related to a problem? Please describe.
When running this action on macOS runners, I hit #347 quite a lot of times. Restarting the job a couple of times eventually makes it successfull

Describe the solution you'd like
A way for the action to retry on failure, for example, by specifying a max number of retry attempts and a delay time in between

Describe alternatives you've considered

• I've tried with https://github.com/marketplace/actions/retry-action, but running this action with it brings always a constant 404
• A separate job running on Linux runners and pass over the artifacts between jobs

Additional context
At https://github.com/c3os-io/c3os/ I'm planning to use this action to run upgrade tests from latest releases - but currently this is almost not doable at all for the problem mentioned above

Describe the bug
As above.

To Reproduce
Run the action on enterprise server - it will continue to target github.com and 404 (or 401 ) depending on the path. Worst case scenario is it downloads packages from github.com that could be malicious.

Expected behavior
Read from github enviroment the correct API server.

Screenshots
NA

Action Environment (please complete the following information):

• OS: self hosted which is close to ubuntu latest

Additional context
Add any other context about the problem here.

"executable" permission is lost when zip is extracted.

1. Prepare release zip archive with binaries with "executable" permissions
2. Download it via this action, extract: true
3. See that "executable" permissions are lost.

I would expect permissions to be preserved.

OS: ubuntu-20.04

Describe the bug
We had an example where downloading the release didn't download any files but the action thought everything was sweet

To Reproduce
Can't repro - likely issue with GH API or some kind of eventual consistency/race condition

Expected behaviour
If downloading a release and no files are found in the release throw an exception

Additional context
It looks like we could tweak the handling of release downloads to warn/throw if a release is found but no files are found in it.
Happy to take a look at doing a PR if that would help - thinking we could tweak the if statement here

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: "release-downloader"
github-token:
  action-input:
    input: token
    is-default: false
  permissions:
    contents: read
    contents-reason: to download release from private repo #Checkout: https://github.com/robinraju/release-downloader#usage
    
#Fixes #624

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

Is your feature request related to a problem? Please describe.
I am not sure how to allow download of the latest prerelease.

Describe the solution you'd like
I would like a flag that allows me to include prereleases in the list of releases to pull from.

Describe alternatives you've considered
None

When choosing the "latest" tag I find myself wanting to know which tag name it is using.

I would like to be able to refer to the outputs of this action to use in another step in the same workflow to create logs and upload release artifacts.

I could use another action like actions/create-release but I think having the information available in this action would be more reliable.

Some create-release actions output basic reusable properties such as

Action Outputs

Problem:
Many GH Release publish multiple assets. Most of the time these assets are not directly usable because they are packages in an archive. A good example is the prometheus repo where every asset is a tar.gz or zip archive.

To use the executables in the archive users must use or even install additional platform dependent tools to extract these. In GH Action this is a substantial overhad with at least one additional step in each workflow.

Solution:
I would like the option to automatically extract all archives while using this action. This action is based on NodeJS and has the power to extract files without handling platform specific requirements.

The alternative would be to use at least one or more additional steps to setup tar, gzip or a windows alternative for zip to extract files.

I will provide a reference implementation as soon as possible

Is your feature request related to a problem? Please describe.
You currently have tag_name and downloaded_files as options, but there could be more.

Describe the solution you'd like
version_name

Describe alternatives you've considered
N/A

Additional context
For example, in your case it would output "Release Downloader v1.8" instead of "v1.8".

https://github.com/robinraju/release-downloader/releases/tag/v1.8

Describe the bug
The extract option in 1.9 version seems to be broken. I have a release zip artifact which contains contents as:
artifact.zip
|__ conf (directory)
|__ dags (directory)
|__ requirements.txt (file)

When 1.9 version does extraction, it somehow extracts only as:
artifact.zip
|__ dags (directory)

missing both the conf and requirements.txt.

1.8 version seemed to work and extract fine. I came to know when my deployment pipeline started to fail after bumping the download action to 1.9. Now reverted it back to 1.8 and works fine.

To Reproduce
Steps to reproduce the behavior:

1. Create a release zip artifact as mentioned above containing a couple of directories and a file
2. Use the action with extract option
3. Check the contents of extracted output

Expected behavior
the extraction in 1.9 version should behave the same as 1.8 i.e., the zip extraction should extract the contents correctly

Action Environment (please complete the following information):

• OS: ubuntu-latest

Describe the bug
As of this morning, all downloads using this action are giving a 400

eg

Fetching latest release for repo RentTheRunway/<repo>
Downloading file: <tool>-linux-amd64.tar.gz to: /runner/_work/<runner>
Error: Unexpected response: 400

Curious if anyone else just started seeing this? Maybe the API changed today?

To Reproduce
Steps to reproduce the behavior:

1. Execute a download against a private repo

Expected behavior
It should successfully download the artifact

Action Environment (please complete the following information):

• OS: ubuntu (self-hosted)

Additional context
I'm running with the following

      - uses: robinraju/[email protected]
        with:
          repository: "RentTheRunway/<repo>"
          latest: true
          fileName: "<file>-linux-amd64.tar.gz"
          token: ${{ secrets.ACCESS_TOKEN_GITHUB }}

Is your feature request related to a problem? Please describe.

I have a release asset that contains some . dll files.
When using the "extract: true" option on execution I'm getting
"Error: Malicious entry: Checklist.Serialization.Desktop.resources.dll"
I'm not sure if this happens for any .dll files

Describe the solution you'd like
The node-stream-zip library has an option to skip the file name validation.

https://github.com/antelle/node-stream-zip/blob/master/release-notes.md

Can we have a flag on the action level itself and the unzip command to be executed with the flag skipEntryNameValidation depending on the bool value set as param?

Describe the bug

Hi there, and thanks for the great Action. We're using it to install one of our internal tools by downloading the binary asset from the latest release. Sometimes the CI/CD for that tool fails such that the release exists, but the asset we're looking for doesn't.

In such a case, release-downloader succeeds, and we fail in more confusing ways later. I think release-downloader should fail if it can't find the requested asset -- which would be much clearer for us.

To Reproduce

Steps to reproduce the behavior:

1. Have a project with a Release but no asset named x86_64-linux.tar.gz

2. Run this action with,

   with:
     repository: that/project
     latest: true
     fileName: x-x86_64-linux.tar.gz
     token: ***
     tarBall: false
     zipBall: false
     out-file-path: .

Expected behavior

A clear error, something like:

Asset x-x86_64-linux.tar.gz does not exist on latest Release ({release name})

Screenshots

Action Environment (please complete the following information):

• OS: ubuntu-latest

Additional context
Add any other context about the problem here.

Hi
would you please add a option to extract tar.xz files?

Using [email protected]; if I set both out-file-path and fileName, fileName gets ignored.

Remove original files after extracting archives.

Is your feature request related to a problem? Please describe.
I have a workflow that outputs a release ID and for higher precision I'd like to use this instead of the tag to identify a release

Describe the solution you'd like
An input for release ID

Describe alternatives you've considered
I can just pass the tag

Additional context
I can probably PR this but haven't looked at the code yet.

For cross repositories release downloader, if I don't want to use PAT, can I use github app token instead?
like this:
- name: Generate token
id: generate_token
uses: tibdex/github-app-token@v1
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}

- name: Download release tar
  uses: robinraju/[email protected]
  with:
    repository: "XX/XX"
    latest: true
    fileName: "AAA"
    out-file-path: "xxx"
    token: ${{steps.generate_token.outputs.token}}

I tried, but failed.

Hi@robinraju

I used the release-downloader and get the latest version. The problem and error appearing is: Error: there are no assets found.
The problem is, there are assets. Is there a solution for this?

Note - with version 1.8, it works.

• name: Dummy Release
  uses: robinraju/[email protected]
  with:
  tag: ${{ xyx 'latest' }} # If tag is not provided, default to 'latest'
  fileName: "*.zip"
  token: ${{ xyx }}
  latest: true # Always set to true to download the latest release if tag is not provided or is invalid
  tarBall: true
  zipBall: true
  repository: xyx

Describe the bug
macos-11 only, Error: [getlatestRelease] Unexpected response: 403 when downloading source code from numpy/numpy.

To Reproduce

jobs:
  macos-cp39:
    runs-on: macos-11
    steps:
      - name: Setup Python
        uses: actions/[email protected]
        with:
          python-version: 3.9
          architecture: x64

      - uses: robinraju/[email protected]
        name: Download latest numpy source
        with: 
          repository: "numpy/numpy"
          latest: true
          zipBall: true
          out-file-path: "downloads"

No issue in linux-latest so far.
Github action link: https://github.com/noonchen/STDF-Viewer/runs/4549369806?check_suite_focus=true

Any suggestions what happened? It works pretty fine before.

Is your feature request related to a problem? Please describe.
We want to be able to use a wildcard aka "*.deb" to download all assets with that file extension.

Describe the solution you'd like
Support for fileName: "*.deb"

Describe alternatives you've considered
Download all files with fileName: "*"

Additional context
Seems like it would be implemented right here:

Describe the bug
When using release-downloader, the step fails because no asset could be found. The asset was created while creating a tag and also added to the release (see screenshot).
I have two jobs, the first one creates the release, the second one should download the asset to deploy to S3 bucket.
A debug log is attached below.
Am I doing something wrong?

To Reproduce
Steps to reproduce the behavior:

1. Create a tag and release via semantic-release in the first job.
2. Try to download the asset from the release in the second job.

Expected behavior
The attached asset should be downloaded and extracted.

Screenshots

Action Environment (please complete the following information):

• OS: ubuntu-latest

Additional context
Debug log:

##[debug]Evaluating condition for step: 'Getting asset 📦'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Getting asset 📦
##[debug]Loading inputs
##[debug]Evaluating: github.ref_name
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'ref_name'
##[debug]=> 'v3.1.9'
##[debug]Result: 'v3.1.9'
##[debug]Evaluating: secrets.GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: github.repository
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'repository'
##[debug]=> 'milhouse-solutions/apothekia-frontend'
##[debug]Result: 'milhouse-solutions/apothekia-frontend'
##[debug]Loading env
Run robinraju/[email protected]
  with:
    tag: v3.1.9
    tarBall: true
    extract: true
    token: ***
    repository: milhouse-solutions/apothekia-frontend
    latest: false
    preRelease: false
    fileName: *
    zipBall: false
    out-file-path: .
    github-api-url: https://api.github.com/
Fetching release v3.1.9 from repo milhouse-solutions/apothekia-frontend
Found release tag: v3.1.9
Error: No assets found in release v3.1.9
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Getting asset 📦

My jobs config:

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: 
      name: ${{ inputs.environment || 'staging' }}
    steps:
      - name: Checking out code
        uses: actions/checkout@v4
        with:
          ref: ${{ github.ref }}

      - name: Getting asset 📦
        uses: robinraju/[email protected]
        with:
          tag: ${{ github.ref_name }}
          tarBall: true
          extract: true
          token: ${{ secrets.GITHUB_TOKEN }}

Dear @robinraju , i was trying to use this action, seeing 401 error always. Any clue?

Describe the bug
I have a monorepo and just added another workflow for a different app. I made sure to tag its releases as ai-annotator-release.tar.gz.

To Reproduce
This are the two steps in question. The first one only runs when input is not latest and it works. The second one is copy pasted and does not work. In another action the same thing does work and the only difference I can see is that:

• I have fileName: "ai-annotator-release.tar.gz

    steps:
      # THIS STEP WORKS
      - name: Download specific release
        if: "${{ github.event.inputs.version != 'latest' }}"
        uses: robinraju/[email protected]
        with:
          repository: ${{ github.repository }}
          fileName: "ai-annotator-release.tar.gz"
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ github.event.inputs.version }}

      - name: Download latest release
        # THIS STEP FAILS 
        if: "${{ github.event.inputs.version == 'latest' }}"
        uses: robinraju/[email protected]
        with:
          repository: ${{ github.repository }}
          fileName: "ai-annotator-release.tar.gz"
          token: ${{ secrets.GITHUB_TOKEN }}
          latest: true

Expected behavior
It should

Screenshots

Action Environment (please complete the following information):

• OS: ubuntu-latest

Additional context
I'm not sure this is actually a bug or if I'm doing something wrong.

Describe the bug

After upgrading from version 1.8 to 1.9, we ran into an issue where the translations were no longer working correctly inside of our application. (They are built on a separate repo and then downloaded when building the main app)

The hash of the file I am checking when downloaded (and extracted) through v1.8 is 03BFCE70E15EDC39B775E673B5E03FB2F71DAC16A216C4AB5A3803D8F36CE11E.

When using the same config and using v 1.9, the resulting hash is 0BB2FCC4A185967658AE3D3172E80CC713212659BB59DD8884EF193E336F238C.

To Reproduce
Steps to reproduce the behavior:

1. Download our latest translation release via version 1.8 and have it be extracted.
2. Then do the same with version 1.9.
3. Select the same file in both. You should specifically be comparing any of the .mo files as those are what we are having issues with.
4. Compare the hash of the selected files, they will be different.

I really don't understand where this issue could be coming from, but it's certainly causing us issues

Is your feature request related to a problem? Please describe.
when using wildcard '*', i want to get exactly file(s) name

Describe the solution you'd like
Add an output variable like downloaded_files to get the filenames that were downloaded.
To access a specific file name, use '${{ fromJson(steps..outputs.downloaded_files)[0] }}'.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Action Environment (please complete the following information):

• OS: [e.g. ubuntu-latest]

Additional context
Add any other context about the problem here.