Skip to content

linkcheck.yml: harden release-asset download (from lecture-python-intro review) #566

Description

@mmcky

Suggested hardening for linkcheck.yml

This repo's .github/workflows/linkcheck.yml (download-latest-release-HTML + QuantEcon/action-link-checker) is now shared, near-verbatim, with lecture-python-intro. During the Copilot review of the intro migration PR (QuantEcon/lecture-python-intro#783) three robustness improvements were surfaced and applied there. Filing them here so both repos can stay in sync — none are urgent, and the current workflow works today.

The three improvements

# Change Why
1 Add contents: read to the job permissions The block only grants issues: write; because permissions: resets every unlisted scope to none, the gh api .../releases/latest call runs with contents: none and can fail under org policy / on private repos
2 set -euo pipefail, select a single asset, error if none An empty or multi-line asset match currently flows silently into curl, producing a confusing downstream failure instead of a clear one
3 curl -fsSL instead of curl -sL Without -f, an HTTP error page (404/permission) is piped into tar and fails as a cryptic extraction error rather than a clear download failure

Concrete diff (the two steps + permissions)

    permissions:
      contents: read  # read latest release assets via gh api
      issues: write   # required for QuantEcon link-checker
    steps:
      - name: Get latest release asset URL
        id: release
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -euo pipefail
          ASSET_URL=$(gh api repos/${{ github.repository }}/releases/latest \
            --jq '[.assets[] | select(.name | endswith(".tar.gz")) | .browser_download_url] | first // ""')
          if [ -z "$ASSET_URL" ]; then
            echo "::error::No .tar.gz asset found on the latest release"
            exit 1
          fi
          echo "asset-url=$ASSET_URL" >> "$GITHUB_OUTPUT"
      - name: Download and extract release HTML
        run: |
          set -euo pipefail
          mkdir -p _site
          curl -fsSL "${{ steps.release.outputs.asset-url }}" | tar -xz -C _site

Not changing: the action pin

Copilot also suggested pinning QuantEcon/action-link-checker@main to a tag/SHA. We opted to keep @main — it is a first-party QuantEcon action and @main is the org convention used across the lecture repos. Noting here only so the decision is on record; if we ever decide to pin QuantEcon actions org-wide, both repos should change together.

Reference: applied in QuantEcon/lecture-python-intro#783.

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions