release 2.5.2

Signed-off-by: Rui Chen <rui@chenrui.dev>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,97 @@
+name: Bug report
+description: Report a bug or regression in action-gh-release
+title: "[Bug]: "
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Before filing:
+        - confirm the problem still reproduces on the latest release or `master`
+        - search existing issues for the same behavior
+        - if the original repository is private, include a minimal public repro, a sanitized workflow snippet, or exact redacted steps a maintainer can follow
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Pre-flight checks
+      options:
+        - label: I searched existing issues and did not find a duplicate
+          required: true
+        - label: I reproduced this with the latest released version or current `master`
+          required: true
+        - label: I included a reproducible example or a sanitized/redacted reproduction path if the original repository is private
+          required: true
+  - type: input
+    id: action_version
+    attributes:
+      label: action-gh-release version
+      description: Tag, SHA, or ref used in your workflow
+      placeholder: v2.5.2
+    validations:
+      required: true
+  - type: dropdown
+    id: runner
+    attributes:
+      label: Runner operating system
+      options:
+        - ubuntu-latest
+        - windows-latest
+        - macos-latest
+        - other
+    validations:
+      required: true
+  - type: input
+    id: target_repository
+    attributes:
+      label: Release target repository
+      description: Fill this in if you set the `repository:` input
+      placeholder: owner/repo
+  - type: input
+    id: repro_reference
+    attributes:
+      label: Reproduction repo, gist, or artifact
+      description: Link a minimal repro repository, gist, run URL, or other shareable artifact if you have one
+      placeholder: https://github.com/owner/repro-repo
+  - type: textarea
+    id: workflow
+    attributes:
+      label: Workflow snippet
+      description: Include the relevant `uses:` step and inputs. If the original repo is private, paste a sanitized version here.
+      render: yaml
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Include tags, matrix/concurrency details, and any repo rules involved. If the original repo is private, describe the smallest setup a maintainer can recreate locally or in a throwaway repo.
+      placeholder: |
+        1. Trigger workflow with ...
+        2. Action creates ...
+        3. Action fails with ...
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs
+      description: Paste the relevant error output or run URL
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Any extra environment, token, ruleset, or asset details

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,50 @@
+name: Feature request
+description: Propose an enhancement or new capability for action-gh-release
+title: "[Feature]: "
+labels:
+  - enhancement
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Use this template for new capabilities, behavior changes, or ergonomics improvements.
+        If you are reporting something broken, use the bug report template instead.
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Pre-flight checks
+      options:
+        - label: I searched existing issues and did not find a duplicate request
+          required: true
+        - label: This is not a bug report for existing behavior
+          required: true
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem to solve
+      description: What workflow pain point or gap are you trying to address?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: Describe the behavior, input, or output you want
+    validations:
+      required: true
+  - type: textarea
+    id: workflow
+    attributes:
+      label: Example workflow snippet
+      description: Show how you would expect to use this
+      render: yaml
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Workarounds or other approaches you evaluated
+  - type: textarea
+    id: impact
+    attributes:
+      label: Why this belongs in action-gh-release
+      description: Explain the user impact or why this should live in the action rather than in workflow glue

.github/workflows/main.yml

@@ -8,9 +8,9 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
 
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version-file: ".tool-versions"
           cache: "npm"

CHANGELOG.md

@@ -1,3 +1,40 @@
+## 2.5.2
+
+`2.5.2` is a patch release focused on the remaining release-creation and prerelease regressions in the `2.5.x` bug-fix cycle.
+It fixes `#705`, fixes `#708`, fixes `#740`, fixes `#741`, and fixes `#722`.
+Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
+same-filename concurrent uploads, and blocked-tag cleanup behavior.
+
+If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
+
+## What's Changed
+
+### Bug fixes 🐛
+
+* fix: canonicalize releases after concurrent create by @chenrui333 in https://github.com/softprops/action-gh-release/pull/746
+* fix: preserve prereleased events for prereleases by @chenrui333 in https://github.com/softprops/action-gh-release/pull/748
+* fix: restore dotfile asset labels by @chenrui333 in https://github.com/softprops/action-gh-release/pull/749
+* fix: handle upload already_exists races across workflows by @api2062 in https://github.com/softprops/action-gh-release/pull/745
+* fix: clean up orphan drafts when tag creation is blocked by @chenrui333 in https://github.com/softprops/action-gh-release/pull/750
+
+## 2.5.1
+
+`2.5.1` is a patch release focused on regressions introduced in `2.5.0` and on release lookup reliability.
+It fixes `#713`, addresses `#703`, and fixes `#724`. Regression testing shows that
+current `master` no longer reproduces the finalize-race behavior reported in `#704` and `#709`.
+
+## What's Changed
+
+### Bug fixes 🐛
+
+* fix: fetch correct asset URL after finalization; test; some refactoring by @pzhlkj6612 in https://github.com/softprops/action-gh-release/pull/738
+* fix: release marked as 'latest' despite make_latest: false by @Boshen in https://github.com/softprops/action-gh-release/pull/715
+* fix: use getReleaseByTag API instead of iterating all releases by @kim-em in https://github.com/softprops/action-gh-release/pull/725
+
+### Other Changes 🔄
+
+* dependency updates, including the ESM/runtime compatibility refresh in https://github.com/softprops/action-gh-release/pull/731
+
 ## 2.5.0
 
 ## What's Changed
@@ -201,7 +238,7 @@
 
 ## 2.0.0
 
-- `2.0.0`!? this release corrects a disjunction between git tag versions used in the marketplace and versions list this file. Previous versions should have really been 1.\*. Going forward this should be better aligned.
+- `2.0.0`!? this release corrects a disjunction between git tag versions used in the marketplace and the versions listed in this file. Previous versions should have really been 1.\*. Going forward this should be better aligned.
 - Upgrade action.yml declaration to node20 to address deprecations
 
 ## 0.1.15
@@ -212,7 +249,7 @@
 
 ## 0.1.14
 
-- provides an new workflow input option `generate_release_notes` which when set to true will automatically generate release notes for you based on GitHub activity [#179](https://github.com/softprops/action-gh-release/pull/179). Please see the [GitHub docs for this feature](https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes) for more information
+- provides a new workflow input option `generate_release_notes` which when set to true will automatically generate release notes for you based on GitHub activity [#179](https://github.com/softprops/action-gh-release/pull/179). Please see the [GitHub docs for this feature](https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes) for more information
 
 ## 0.1.13
 
@@ -220,7 +257,7 @@
 
 ## 0.1.12
 
-- fix bug leading to empty strings subsituted for inputs users don't provide breaking api calls [#144](https://github.com/softprops/action-gh-release/pull/144)
+- fix bug leading to empty strings substituted for inputs users don't provide breaking api calls [#144](https://github.com/softprops/action-gh-release/pull/144)
 
 ## 0.1.11
 
@@ -237,7 +274,7 @@
 ## 0.1.8
 
 - address recent warnings in assert upload api as well as introduce asset upload overrides, allowing for multiple runs for the same release with the same named asserts [#134](https://github.com/softprops/action-gh-release/pull/134)
-- fix backwards compatibility with `GITHUB_TOKEN` resolution. `GITHUB_TOKEN` is no resolved first from an env varibale and then from and input [#133](https://github.com/softprops/action-gh-release/pull/133)
+- fix backwards compatibility with `GITHUB_TOKEN` resolution. `GITHUB_TOKEN` is now resolved first from an env variable and then from an input [#133](https://github.com/softprops/action-gh-release/pull/133)
 - trim white space in provided `tag_name` [#130](https://github.com/softprops/action-gh-release/pull/130)
 
 ## 0.1.7
@@ -250,14 +287,14 @@
 
 This is a release catch up have a hiatus. Future releases will happen more frequently
 
-- Add 'fail_on_unmatched_files' input, useful for catching cases were your `files` input does not actually match what you expect [#55](https://github.com/softprops/action-gh-release/pull/55)
+- Add 'fail_on_unmatched_files' input, useful for catching cases where your `files` input does not actually match what you expect [#55](https://github.com/softprops/action-gh-release/pull/55)
 - Add `repository` input, useful for creating a release in an external repository [#61](https://github.com/softprops/action-gh-release/pull/61)
-- Add release `id` to outputs, useful for refering to release in workflow steps following the step that uses this action [#60](https://github.com/softprops/action-gh-release/pull/60)
+- Add release `id` to outputs, useful for referring to release in workflow steps following the step that uses this action [#60](https://github.com/softprops/action-gh-release/pull/60)
 - Add `upload_url` as action output, useful for managing uploads separately [#75](https://github.com/softprops/action-gh-release/pull/75)
 - Support custom `target_commitish` value, useful to customize the default [#76](https://github.com/softprops/action-gh-release/pull/76)
-- fix `body_path` input first then fall back on `body` input. this was the originally documented precedence but was implemened the the opposite order! [#85](https://github.com/softprops/action-gh-release/pull/85)
+- fix `body_path` input first then fall back on `body` input. This was the originally documented precedence but was implemented in the opposite order! [#85](https://github.com/softprops/action-gh-release/pull/85)
 - Retain original release info if the keys are not set, useful for filling in blanks for a release you've already started separately [#109](https://github.com/softprops/action-gh-release/pull/109)
-- Limit number of times github api request to create a release is retried, useful for avoiding eating up your rate limit and action minutes do to either an invalid token or other circumstance causing the api call to fail [#111](https://github.com/softprops/action-gh-release/pull/111)
+- Limit number of times github api request to create a release is retried, useful for avoiding eating up your rate limit and action minutes due to either an invalid token or other circumstance causing the api call to fail [#111](https://github.com/softprops/action-gh-release/pull/111)
 
 ## 0.1.5
 
@@ -267,7 +304,7 @@ This is a release catch up have a hiatus. Future releases will happen more frequ
 
 - Added support for updating releases body [#36](https://github.com/softprops/action-gh-release/pull/36)
 - Steps can now access the url of releases with the `url` output of this Action [#28](https://github.com/softprops/action-gh-release/pull/28)
-- Added basic GitHub API retry support to manage API turbulance [#26](https://github.com/softprops/action-gh-release/pull/26)
+- Added basic GitHub API retry support to manage API turbulence [#26](https://github.com/softprops/action-gh-release/pull/26)
 
 ## 0.1.3
 
@@ -282,7 +319,7 @@ This is now fixed.
 
 - Add support for newline-delimited asset list [#18](https://github.com/softprops/action-gh-release/pull/18)
 
-GitHub actions inputs don't inherently support lists of things and one might like to append a list of files to include in a release. Previously this was possible using a comma-delimited list of asset path patterns to upload. You can now provide these as a newline delimieted list for better readability
+GitHub actions inputs don't inherently support lists of things and one might like to append a list of files to include in a release. Previously this was possible using a comma-delimited list of asset path patterns to upload. You can now provide these as a newline delimited list for better readability
 
 ```yaml
 - name: Release

README.md

@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Release
         uses: softprops/action-gh-release@v2
         if: github.ref_type == 'tag'
@@ -72,7 +72,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Release
         uses: softprops/action-gh-release@v2
 ```
@@ -99,7 +99,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Build
         run: echo ${{ github.sha }} > Release.txt
       - name: Test
@@ -123,7 +123,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Build
         run: echo ${{ github.sha }} > Release.txt
       - name: Test
@@ -157,7 +157,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Generate Changelog
         run: echo "# Good things have arrived" > ${{ github.workspace }}-CHANGELOG.txt
       - name: Release
@@ -213,7 +213,7 @@ The following outputs can be accessed via `${{ steps.<step-id>.outputs }}` from
 | `url`        | String | Github.com URL for the release                                                                                                                                                            |
 | `id`         | String | Release ID                                                                                                                                                                                |
 | `upload_url` | String | URL for uploading assets to the release                                                                                                                                                   |
-| `assets`     | String | JSON array containing information about each uploaded asset, in the format given [here](https://docs.github.com/en/rest/releases/assets#get-a-release-asset) (minus the `uploader` field) |
+| `assets`     | String | JSON array containing information about each updated (newly uploaded or overwritten) asset, in the format given [here](https://docs.github.com/en/rest/releases/assets#get-a-release-asset) (minus the `uploader` field) |
 
 As an example, you can use `${{ fromJSON(steps.<step-id>.outputs.assets)[0].browser_download_url }}` to get the download URL of the first asset.
 

__tests__/github.test.ts

@@ -1,15 +1,41 @@
 import {
   asset,
   findTagFromReleases,
+  finalizeRelease,
   mimeOrDefault,
   release,
   Release,
   Releaser,
+  upload,
 } from '../src/github';
 
-import { assert, describe, it } from 'vitest';
+import { mkdtempSync, rmSync, writeFileSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { assert, describe, expect, it, vi } from 'vitest';
 
 describe('github', () => {
+  const config = {
+    github_token: 'test-token',
+    github_ref: 'refs/tags/v1.0.0',
+    github_repository: 'owner/repo',
+    input_tag_name: undefined,
+    input_name: undefined,
+    input_body: undefined,
+    input_body_path: undefined,
+    input_files: [],
+    input_draft: undefined,
+    input_prerelease: undefined,
+    input_preserve_order: undefined,
+    input_overwrite_files: undefined,
+    input_fail_on_unmatched_files: false,
+    input_target_commitish: undefined,
+    input_discussion_category_name: undefined,
+    input_generate_release_notes: false,
+    input_append_body: false,
+    input_make_latest: undefined,
+  };
+
   describe('mimeOrDefault', () => {
     it('returns a specific mime for common path', async () => {
       assert.equal(mimeOrDefault('foo.tar.gz'), 'application/gzip');
@@ -46,38 +72,30 @@ describe('github', () => {
     } as const;
 
     const mockReleaser: Releaser = {
-      getReleaseByTag: () => Promise.reject('Not implemented'),
+      getReleaseByTag: () => Promise.reject({ status: 404 }),
       createRelease: () => Promise.reject('Not implemented'),
       updateRelease: () => Promise.reject('Not implemented'),
       finalizeRelease: () => Promise.reject('Not implemented'),
       allReleases: async function* () {
         yield { data: [mockRelease] };
       },
+      listReleaseAssets: () => Promise.reject('Not implemented'),
+      deleteReleaseAsset: () => Promise.reject('Not implemented'),
+      deleteRelease: () => Promise.reject('Not implemented'),
+      updateReleaseAsset: () => Promise.reject('Not implemented'),
+      uploadReleaseAsset: () => Promise.reject('Not implemented'),
     } as const;
 
-    describe('when the tag_name is not an empty string', () => {
+    it('finds a release by tag using direct API lookup', async () => {
       const targetTag = 'v1.0.0';
-
-      it('finds a matching release in first batch of results', async () => {
       const targetRelease = {
         ...mockRelease,
-          owner,
-          repo,
         tag_name: targetTag,
       };
-        const otherRelease = {
-          ...mockRelease,
-          owner,
-          repo,
-          tag_name: 'v1.0.1',
-        };
 
       const releaser = {
         ...mockReleaser,
-          allReleases: async function* () {
-            yield { data: [targetRelease] };
-            yield { data: [otherRelease] };
-          },
+        getReleaseByTag: () => Promise.resolve({ data: targetRelease }),
       };
 
       const result = await findTagFromReleases(releaser, owner, repo, targetTag);
@@ -85,166 +103,370 @@ describe('github', () => {
       assert.deepStrictEqual(result, targetRelease);
     });
 
-      it('finds a matching release in second batch of results', async () => {
-        const targetRelease = {
-          ...mockRelease,
-          owner,
-          repo,
-          tag_name: targetTag,
-        };
-        const otherRelease = {
-          ...mockRelease,
-          owner,
-          repo,
-          tag_name: 'v1.0.1',
-        };
-
+    it('returns undefined when release is not found (404)', async () => {
       const releaser = {
         ...mockReleaser,
-          allReleases: async function* () {
-            yield { data: [otherRelease] };
-            yield { data: [targetRelease] };
-          },
+        getReleaseByTag: () => Promise.reject({ status: 404 }),
       };
 
-        const result = await findTagFromReleases(releaser, owner, repo, targetTag);
-        assert.deepStrictEqual(result, targetRelease);
-      });
-
-      it('returns undefined when a release is not found in any batch', async () => {
-        const otherRelease = {
-          ...mockRelease,
-          owner,
-          repo,
-          tag_name: 'v1.0.1',
-        };
-        const releaser = {
-          ...mockReleaser,
-          allReleases: async function* () {
-            yield { data: [otherRelease] };
-            yield { data: [otherRelease] };
-          },
-        };
-
-        const result = await findTagFromReleases(releaser, owner, repo, targetTag);
+      const result = await findTagFromReleases(releaser, owner, repo, 'nonexistent');
 
       assert.strictEqual(result, undefined);
     });
 
-      it('returns undefined when no releases are returned', async () => {
+    it('re-throws non-404 errors', async () => {
       const releaser = {
         ...mockReleaser,
-          allReleases: async function* () {
-            yield { data: [] };
-          },
+        getReleaseByTag: () => Promise.reject({ status: 500, message: 'Server error' }),
       };
 
-        const result = await findTagFromReleases(releaser, owner, repo, targetTag);
-
-        assert.strictEqual(result, undefined);
-      });
+      try {
+        await findTagFromReleases(releaser, owner, repo, 'v1.0.0');
+        assert.fail('Expected an error to be thrown');
+      } catch (error) {
+        assert.strictEqual(error.status, 500);
+      }
     });
 
-    describe('when the tag_name is an empty string', () => {
+    it('finds a release with empty tag name', async () => {
       const emptyTag = '';
-
-      it('finds a matching release in first batch of results', async () => {
       const targetRelease = {
         ...mockRelease,
-          owner,
-          repo,
         tag_name: emptyTag,
       };
-        const otherRelease = {
-          ...mockRelease,
-          owner,
-          repo,
-          tag_name: 'v1.0.1',
-        };
 
       const releaser = {
         ...mockReleaser,
-          allReleases: async function* () {
-            yield { data: [targetRelease] };
-            yield { data: [otherRelease] };
-          },
+        getReleaseByTag: () => Promise.resolve({ data: targetRelease }),
       };
 
       const result = await findTagFromReleases(releaser, owner, repo, emptyTag);
 
       assert.deepStrictEqual(result, targetRelease);
     });
-
-      it('finds a matching release in second batch of results', async () => {
-        const targetRelease = {
-          ...mockRelease,
-          owner,
-          repo,
-          tag_name: emptyTag,
-        };
-        const otherRelease = {
-          ...mockRelease,
-          owner,
-          repo,
-          tag_name: 'v1.0.1',
-        };
-
-        const releaser = {
-          ...mockReleaser,
-          allReleases: async function* () {
-            yield { data: [otherRelease] };
-            yield { data: [targetRelease] };
-          },
-        };
-
-        const result = await findTagFromReleases(releaser, owner, repo, emptyTag);
-        assert.deepStrictEqual(result, targetRelease);
   });
 
-      it('returns undefined when a release is not found in any batch', async () => {
-        const otherRelease = {
-          ...mockRelease,
-          owner,
-          repo,
-          tag_name: 'v1.0.1',
+  describe('finalizeRelease input_draft behavior', () => {
+    const draftRelease: Release = {
+      id: 1,
+      upload_url: 'test',
+      html_url: 'test',
+      tag_name: 'v1.0.0',
+      name: 'test',
+      body: 'test',
+      target_commitish: 'main',
+      draft: true,
+      prerelease: false,
+      assets: [],
     };
-        const releaser = {
-          ...mockReleaser,
-          allReleases: async function* () {
-            yield { data: [otherRelease] };
-            yield { data: [otherRelease] };
+
+    const finalizedRelease: Release = {
+      ...draftRelease,
+      draft: false,
+    };
+    const publishedPrerelease: Release = {
+      ...draftRelease,
+      draft: false,
+      prerelease: true,
+    };
+
+    it.each([
+      {
+        name: 'returns early when input_draft is true',
+        input_draft: true,
+        release: draftRelease,
+        expectedCalls: 0,
+        expectedResult: draftRelease,
       },
+      {
+        name: 'finalizes release when input_draft is false',
+        input_draft: false,
+        release: draftRelease,
+        expectedCalls: 1,
+        expectedResult: finalizedRelease,
+      },
+      {
+        name: 'returns early when release is already published',
+        input_draft: false,
+        release: publishedPrerelease,
+        expectedCalls: 0,
+        expectedResult: publishedPrerelease,
+      },
+    ])('$name', async ({ input_draft, release, expectedCalls, expectedResult }) => {
+      const finalizeReleaseSpy = vi.fn(async () => ({ data: finalizedRelease }));
+
+      const releaser: Releaser = {
+        getReleaseByTag: () => Promise.reject('Not implemented'),
+        createRelease: () => Promise.reject('Not implemented'),
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: finalizeReleaseSpy,
+        allReleases: async function* () {
+          throw new Error('Not implemented');
+        },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: () => Promise.reject('Not implemented'),
+        deleteRelease: () => Promise.reject('Not implemented'),
+        updateReleaseAsset: () => Promise.reject('Not implemented'),
+        uploadReleaseAsset: () => Promise.reject('Not implemented'),
       };
 
-        const result = await findTagFromReleases(releaser, owner, repo, emptyTag);
+      const result = await finalizeRelease(
+        {
+          ...config,
+          input_draft,
+        },
+        releaser,
+        release,
+      );
 
-        assert.strictEqual(result, undefined);
+      expect(finalizeReleaseSpy).toHaveBeenCalledTimes(expectedCalls);
+      assert.strictEqual(result, expectedResult);
+
+      if (expectedCalls === 1) {
+        expect(finalizeReleaseSpy).toHaveBeenCalledWith({
+          owner: 'owner',
+          repo: 'repo',
+          release_id: release.id,
+        });
+      }
     });
 
-      it('returns undefined when no releases are returned', async () => {
-        const releaser = {
-          ...mockReleaser,
-          allReleases: async function* () {
-            yield { data: [] };
+    it('deletes a newly created draft when tag creation is blocked by repository rules', async () => {
+      const finalizeReleaseSpy = vi.fn(async () => {
+        throw {
+          status: 422,
+          response: {
+            data: {
+              errors: [
+                {
+                  field: 'pre_receive',
+                  message:
+                    'pre_receive Repository rule violations found\n\nCannot create ref due to creations being restricted.\n\n',
+                },
+              ],
+            },
           },
         };
-
-        const result = await findTagFromReleases(releaser, owner, repo, emptyTag);
-
-        assert.strictEqual(result, undefined);
       });
+      const deleteReleaseSpy = vi.fn(async () => undefined);
+
+      const releaser: Releaser = {
+        getReleaseByTag: () => Promise.reject('Not implemented'),
+        createRelease: () => Promise.reject('Not implemented'),
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: finalizeReleaseSpy,
+        allReleases: async function* () {
+          throw new Error('Not implemented');
+        },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: () => Promise.reject('Not implemented'),
+        deleteRelease: deleteReleaseSpy,
+        updateReleaseAsset: () => Promise.reject('Not implemented'),
+        uploadReleaseAsset: () => Promise.reject('Not implemented'),
+      };
+
+      await expect(
+        finalizeRelease(
+          {
+            ...config,
+            input_draft: false,
+          },
+          releaser,
+          draftRelease,
+          true,
+        ),
+      ).rejects.toThrow(
+        'Tag creation for v1.0.0 is blocked by repository rules. Deleted draft release 1 to avoid leaving an orphaned draft release.',
+      );
+
+      expect(finalizeReleaseSpy).toHaveBeenCalledTimes(1);
+      expect(deleteReleaseSpy).toHaveBeenCalledWith({
+        owner: 'owner',
+        repo: 'repo',
+        release_id: draftRelease.id,
+      });
+    });
+
+    it('does not delete an existing draft release when tag creation is blocked by repository rules', async () => {
+      const finalizeReleaseSpy = vi.fn(async () => {
+        throw {
+          status: 422,
+          response: {
+            data: {
+              errors: [
+                {
+                  field: 'pre_receive',
+                  message:
+                    'pre_receive Repository rule violations found\n\nCannot create ref due to creations being restricted.\n\n',
+                },
+              ],
+            },
+          },
+        };
+      });
+      const deleteReleaseSpy = vi.fn(async () => undefined);
+
+      const releaser: Releaser = {
+        getReleaseByTag: () => Promise.reject('Not implemented'),
+        createRelease: () => Promise.reject('Not implemented'),
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: finalizeReleaseSpy,
+        allReleases: async function* () {
+          throw new Error('Not implemented');
+        },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: () => Promise.reject('Not implemented'),
+        deleteRelease: deleteReleaseSpy,
+        updateReleaseAsset: () => Promise.reject('Not implemented'),
+        uploadReleaseAsset: () => Promise.reject('Not implemented'),
+      };
+
+      await expect(
+        finalizeRelease(
+          {
+            ...config,
+            input_draft: false,
+          },
+          releaser,
+          draftRelease,
+          false,
+          1,
+        ),
+      ).rejects.toThrow('Too many retries.');
+
+      expect(finalizeReleaseSpy).toHaveBeenCalledTimes(1);
+      expect(deleteReleaseSpy).not.toHaveBeenCalled();
     });
   });
 
   describe('error handling', () => {
-    it('handles 422 already_exists error gracefully', async () => {
+    it('creates published prereleases without the forced draft-first path', async () => {
+      const prereleaseConfig = {
+        ...config,
+        input_prerelease: true,
+        input_draft: false,
+      };
+      const createdRelease: Release = {
+        id: 1,
+        upload_url: 'test',
+        html_url: 'test',
+        tag_name: 'v1.0.0',
+        name: 'test',
+        body: 'test',
+        target_commitish: 'main',
+        draft: false,
+        prerelease: true,
+        assets: [],
+      };
+
+      const createReleaseSpy = vi.fn(async () => ({ data: createdRelease }));
       const mockReleaser: Releaser = {
-        getReleaseByTag: () => Promise.reject('Not implemented'),
-        createRelease: () =>
-          Promise.reject({
+        getReleaseByTag: () => Promise.reject({ status: 404 }),
+        createRelease: createReleaseSpy,
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: () => Promise.reject('Not implemented'),
+        allReleases: async function* () {
+          yield { data: [createdRelease] };
+        },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: () => Promise.reject('Not implemented'),
+        deleteRelease: () => Promise.reject('Not implemented'),
+        updateReleaseAsset: () => Promise.reject('Not implemented'),
+        uploadReleaseAsset: () => Promise.reject('Not implemented'),
+      } as const;
+
+      const result = await release(prereleaseConfig, mockReleaser, 1);
+
+      assert.equal(result.release.id, createdRelease.id);
+      assert.equal(result.created, true);
+      expect(createReleaseSpy).toHaveBeenCalledWith(
+        expect.objectContaining({
+          draft: false,
+          prerelease: true,
+        }),
+      );
+    });
+
+    it('retries upload after deleting conflicting asset on 422 already_exists race', async () => {
+      const uploadReleaseAsset = vi
+        .fn()
+        .mockRejectedValueOnce({
           status: 422,
           response: { data: { errors: [{ code: 'already_exists' }] } },
-          }),
+        })
+        .mockResolvedValueOnce({
+          status: 201,
+          data: { id: 123, name: 'release.txt' },
+        });
+
+      const listReleaseAssets = vi.fn().mockResolvedValue([{ id: 99, name: 'release.txt' }]);
+      const deleteReleaseAsset = vi.fn().mockResolvedValue(undefined);
+
+      const mockReleaser: Releaser = {
+        getReleaseByTag: () => Promise.reject('Not implemented'),
+        createRelease: () => Promise.reject('Not implemented'),
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: () => Promise.reject('Not implemented'),
+        allReleases: async function* () {
+          throw new Error('Not implemented');
+        },
+        listReleaseAssets,
+        deleteReleaseAsset,
+        uploadReleaseAsset,
+      };
+
+      const result = await upload(
+        config,
+        mockReleaser,
+        'https://uploads.github.com/repos/owner/repo/releases/1/assets',
+        '__tests__/release.txt',
+        [],
+      );
+
+      expect(result).toStrictEqual({ id: 123, name: 'release.txt' });
+      expect(listReleaseAssets).toHaveBeenCalledWith({
+        owner: 'owner',
+        repo: 'repo',
+        release_id: 1,
+      });
+      expect(deleteReleaseAsset).toHaveBeenCalledWith({
+        owner: 'owner',
+        repo: 'repo',
+        asset_id: 99,
+      });
+      expect(uploadReleaseAsset).toHaveBeenCalledTimes(2);
+    });
+
+    it('handles 422 already_exists error gracefully', async () => {
+      const existingRelease = {
+        id: 1,
+        upload_url: 'test',
+        html_url: 'test',
+        tag_name: 'v1.0.0',
+        name: 'test',
+        body: 'test',
+        target_commitish: 'main',
+        draft: false,
+        prerelease: false,
+        assets: [],
+      };
+
+      let createAttempts = 0;
+      const mockReleaser: Releaser = {
+        getReleaseByTag: ({ tag }) => {
+          // First call returns 404 (release doesn't exist yet), subsequent calls find it
+          if (createAttempts === 0) {
+            return Promise.reject({ status: 404 });
+          }
+          return Promise.resolve({ data: existingRelease });
+        },
+        createRelease: () => {
+          createAttempts++;
+          return Promise.reject({
+            status: 422,
+            response: { data: { errors: [{ code: 'already_exists' }] } },
+          });
+        },
         updateRelease: () =>
           Promise.resolve({
             data: {
@@ -260,51 +482,251 @@ describe('github', () => {
               assets: [],
             },
           }),
-        finalizeRelease: async () => {},
+        finalizeRelease: () => Promise.reject('Not implemented'),
         allReleases: async function* () {
-          yield {
-            data: [
-              {
-                id: 1,
-                upload_url: 'test',
-                html_url: 'test',
-                tag_name: 'v1.0.0',
-                name: 'test',
-                body: 'test',
-                target_commitish: 'main',
-                draft: false,
-                prerelease: false,
-                assets: [],
-              },
-            ],
-          };
+          yield { data: [existingRelease] };
         },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: () => Promise.reject('Not implemented'),
+        deleteRelease: () => Promise.reject('Not implemented'),
+        uploadReleaseAsset: () => Promise.reject('Not implemented'),
       } as const;
 
-      const config = {
-        github_token: 'test-token',
-        github_ref: 'refs/tags/v1.0.0',
-        github_repository: 'owner/repo',
-        input_tag_name: undefined,
-        input_name: undefined,
-        input_body: undefined,
-        input_body_path: undefined,
-        input_files: [],
-        input_draft: undefined,
-        input_prerelease: undefined,
-        input_preserve_order: undefined,
-        input_overwrite_files: undefined,
-        input_fail_on_unmatched_files: false,
-        input_target_commitish: undefined,
-        input_discussion_category_name: undefined,
-        input_generate_release_notes: false,
-        input_append_body: false,
-        input_make_latest: undefined,
+      const result = await release(config, mockReleaser, 2);
+      assert.ok(result);
+      assert.equal(result.release.id, 1);
+      assert.equal(result.created, false);
+    });
+
+    it('reuses a canonical release after concurrent create success and removes empty duplicates', async () => {
+      const canonicalRelease: Release = {
+        id: 1,
+        upload_url: 'canonical-upload',
+        html_url: 'canonical-html',
+        tag_name: 'v1.0.0',
+        name: 'canonical',
+        body: 'test',
+        target_commitish: 'main',
+        draft: true,
+        prerelease: false,
+        assets: [],
+      };
+      const duplicateRelease: Release = {
+        id: 2,
+        upload_url: 'duplicate-upload',
+        html_url: 'duplicate-html',
+        tag_name: 'v1.0.0',
+        name: 'duplicate',
+        body: 'test',
+        target_commitish: 'main',
+        draft: true,
+        prerelease: false,
+        assets: [],
+      };
+
+      let lookupCount = 0;
+      const deleteReleaseSpy = vi.fn(async () => undefined);
+      const mockReleaser: Releaser = {
+        getReleaseByTag: () => {
+          lookupCount += 1;
+          if (lookupCount === 1) {
+            return Promise.reject({ status: 404 });
+          }
+          return Promise.resolve({ data: canonicalRelease });
+        },
+        createRelease: () => Promise.resolve({ data: duplicateRelease }),
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: () => Promise.reject('Not implemented'),
+        allReleases: async function* () {
+          yield { data: [duplicateRelease, canonicalRelease] };
+        },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: () => Promise.reject('Not implemented'),
+        deleteRelease: deleteReleaseSpy,
+        updateReleaseAsset: () => Promise.reject('Not implemented'),
+        uploadReleaseAsset: () => Promise.reject('Not implemented'),
+      };
+
+      const result = await release(config, mockReleaser, 2);
+
+      assert.equal(result.release.id, canonicalRelease.id);
+      assert.equal(result.created, false);
+      expect(deleteReleaseSpy).toHaveBeenCalledWith({
+        owner: 'owner',
+        repo: 'repo',
+        release_id: duplicateRelease.id,
+      });
+    });
+
+    it('falls back to recent releases when tag lookup still lags after create', async () => {
+      const canonicalRelease: Release = {
+        id: 1,
+        upload_url: 'canonical-upload',
+        html_url: 'canonical-html',
+        tag_name: 'v1.0.0',
+        name: 'canonical',
+        body: 'test',
+        target_commitish: 'main',
+        draft: true,
+        prerelease: false,
+        assets: [],
+      };
+      const duplicateRelease: Release = {
+        id: 2,
+        upload_url: 'duplicate-upload',
+        html_url: 'duplicate-html',
+        tag_name: 'v1.0.0',
+        name: 'duplicate',
+        body: 'test',
+        target_commitish: 'main',
+        draft: true,
+        prerelease: false,
+        assets: [],
+      };
+
+      const deleteReleaseSpy = vi.fn(async () => undefined);
+      const mockReleaser: Releaser = {
+        getReleaseByTag: () => Promise.reject({ status: 404 }),
+        createRelease: () => Promise.resolve({ data: duplicateRelease }),
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: () => Promise.reject('Not implemented'),
+        allReleases: async function* () {
+          yield { data: [duplicateRelease, canonicalRelease] };
+        },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: () => Promise.reject('Not implemented'),
+        deleteRelease: deleteReleaseSpy,
+        updateReleaseAsset: () => Promise.reject('Not implemented'),
+        uploadReleaseAsset: () => Promise.reject('Not implemented'),
       };
 
       const result = await release(config, mockReleaser, 1);
-      assert.ok(result);
-      assert.equal(result.id, 1);
+
+      assert.equal(result.release.id, canonicalRelease.id);
+      assert.equal(result.created, false);
+      expect(deleteReleaseSpy).toHaveBeenCalledWith({
+        owner: 'owner',
+        repo: 'repo',
+        release_id: duplicateRelease.id,
+      });
+    });
+  });
+
+  describe('upload', () => {
+    it('restores a dotfile label when GitHub normalizes the uploaded asset name', async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), 'gh-release-dotfile-'));
+      const dotfilePath = join(tempDir, '.config');
+      writeFileSync(dotfilePath, 'config');
+
+      const updateReleaseAssetSpy = vi.fn(async () => ({
+        data: {
+          id: 1,
+          name: 'default.config',
+          label: '.config',
+        },
+      }));
+      const releaser: Releaser = {
+        getReleaseByTag: () => Promise.reject('Not implemented'),
+        createRelease: () => Promise.reject('Not implemented'),
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: () => Promise.reject('Not implemented'),
+        allReleases: async function* () {
+          throw new Error('Not implemented');
+        },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: () => Promise.reject('Not implemented'),
+        deleteRelease: () => Promise.reject('Not implemented'),
+        updateReleaseAsset: updateReleaseAssetSpy,
+        uploadReleaseAsset: () =>
+          Promise.resolve({
+            status: 201,
+            data: {
+              id: 1,
+              name: 'default.config',
+              label: '',
+            },
+          }),
+      };
+
+      try {
+        const result = await upload(
+          config,
+          releaser,
+          'https://uploads.example.test/assets',
+          dotfilePath,
+          [],
+        );
+
+        expect(updateReleaseAssetSpy).toHaveBeenCalledWith({
+          owner: 'owner',
+          repo: 'repo',
+          asset_id: 1,
+          name: 'default.config',
+          label: '.config',
+        });
+        expect(result).toEqual({
+          id: 1,
+          name: 'default.config',
+          label: '.config',
+        });
+      } finally {
+        rmSync(tempDir, { recursive: true, force: true });
+      }
+    });
+
+    it('matches an existing asset by label when overwriting a dotfile', async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), 'gh-release-dotfile-'));
+      const dotfilePath = join(tempDir, '.config');
+      writeFileSync(dotfilePath, 'config');
+
+      const deleteReleaseAssetSpy = vi.fn(async () => undefined);
+      const releaser: Releaser = {
+        getReleaseByTag: () => Promise.reject('Not implemented'),
+        createRelease: () => Promise.reject('Not implemented'),
+        updateRelease: () => Promise.reject('Not implemented'),
+        finalizeRelease: () => Promise.reject('Not implemented'),
+        allReleases: async function* () {
+          throw new Error('Not implemented');
+        },
+        listReleaseAssets: () => Promise.reject('Not implemented'),
+        deleteReleaseAsset: deleteReleaseAssetSpy,
+        deleteRelease: () => Promise.reject('Not implemented'),
+        updateReleaseAsset: () =>
+          Promise.resolve({
+            data: {
+              id: 2,
+              name: 'default.config',
+              label: '.config',
+            },
+          }),
+        uploadReleaseAsset: () =>
+          Promise.resolve({
+            status: 201,
+            data: {
+              id: 2,
+              name: 'default.config',
+              label: '',
+            },
+          }),
+      };
+
+      try {
+        await upload(config, releaser, 'https://uploads.example.test/assets', dotfilePath, [
+          {
+            id: 1,
+            name: 'default.config',
+            label: '.config',
+          },
+        ]);
+
+        expect(deleteReleaseAssetSpy).toHaveBeenCalledWith({
+          asset_id: 1,
+          owner: 'owner',
+          repo: 'repo',
+        });
+      } finally {
+        rmSync(tempDir, { recursive: true, force: true });
+      }
     });
   });
 });

package.json

@@ -1,12 +1,12 @@
 {
   "name": "action-gh-release",
-  "version": "2.5.0",
+  "version": "2.5.2",
   "private": true,
   "description": "GitHub Action for creating GitHub Releases",
   "main": "lib/main.js",
   "scripts": {
-    "build": "ncc build src/main.ts --minify --target es2022",
-    "build-debug": "ncc build src/main.ts --v8-cache --source-map",
+    "build": "esbuild src/main.ts --bundle --platform=node --format=cjs --target=node20 --outfile=dist/index.js --minify",
+    "build-debug": "esbuild src/main.ts --bundle --platform=node --format=cjs --target=node20 --outfile=dist/index.js --sourcemap --keep-names",
     "typecheck": "tsc --noEmit",
     "test": "vitest --coverage",
     "fmt": "prettier --write \"src/**/*.ts\" \"__tests__/**/*.ts\"",
@@ -22,20 +22,20 @@
   ],
   "author": "softprops",
   "dependencies": {
-    "@actions/core": "^1.11.1",
-    "@actions/github": "^6.0.1",
-    "@octokit/plugin-retry": "^8.0.3",
+    "@actions/core": "^3.0.0",
+    "@actions/github": "^9.0.0",
+    "@octokit/plugin-retry": "^8.1.0",
     "@octokit/plugin-throttling": "^11.0.3",
-    "glob": "^13.0.0",
+    "glob": "^13.0.6",
     "mime-types": "^3.0.2"
   },
   "devDependencies": {
     "@types/glob": "^9.0.0",
     "@types/mime-types": "^3.0.1",
-    "@types/node": "^20.19.25",
-    "@vercel/ncc": "^0.38.4",
-    "@vitest/coverage-v8": "^4.0.13",
-    "prettier": "3.6.2",
+    "@types/node": "^20.19.37",
+    "@vitest/coverage-v8": "^4.1.0",
+    "esbuild": "^0.27.3",
+    "prettier": "3.8.1",
     "ts-node": "^10.9.2",
     "typescript": "^5.9.3",
     "typescript-formatter": "^7.2.2",

src/github.ts

@@ -23,7 +23,12 @@ export interface Release {
   target_commitish: string;
   draft: boolean;
   prerelease: boolean;
-  assets: Array<{ id: number; name: string }>;
+  assets: Array<{ id: number; name: string; label?: string | null }>;
+}
+
+export interface ReleaseResult {
+  release: Release;
+  created: boolean;
 }
 
 export interface Releaser {
@@ -62,9 +67,36 @@ export interface Releaser {
     owner: string;
     repo: string;
     release_id: number;
+    make_latest: 'true' | 'false' | 'legacy' | undefined;
   }): Promise<{ data: Release }>;
 
-  allReleases(params: { owner: string; repo: string }): AsyncIterableIterator<{ data: Release[] }>;
+  allReleases(params: { owner: string; repo: string }): AsyncIterable<{ data: Release[] }>;
+
+  listReleaseAssets(params: {
+    owner: string;
+    repo: string;
+    release_id: number;
+  }): Promise<Array<{ id: number; name: string; label?: string | null; [key: string]: any }>>;
+
+  deleteReleaseAsset(params: { owner: string; repo: string; asset_id: number }): Promise<void>;
+
+  deleteRelease(params: { owner: string; repo: string; release_id: number }): Promise<void>;
+
+  updateReleaseAsset(params: {
+    owner: string;
+    repo: string;
+    asset_id: number;
+    name: string;
+    label: string;
+  }): Promise<{ data: any }>;
+
+  uploadReleaseAsset(params: {
+    url: string;
+    size: number;
+    mime: string;
+    token: string;
+    data: any;
+  }): Promise<{ status: number; data: any }>;
 }
 
 export class GitHubReleaser implements Releaser {
@@ -166,21 +198,79 @@ export class GitHubReleaser implements Releaser {
     return this.github.rest.repos.updateRelease(params);
   }
 
-  async finalizeRelease(params: { owner: string; repo: string; release_id: number }) {
+  async finalizeRelease(params: {
+    owner: string;
+    repo: string;
+    release_id: number;
+    make_latest: 'true' | 'false' | 'legacy' | undefined;
+  }) {
     return await this.github.rest.repos.updateRelease({
       owner: params.owner,
       repo: params.repo,
       release_id: params.release_id,
       draft: false,
+      make_latest: params.make_latest,
     });
   }
 
-  allReleases(params: { owner: string; repo: string }): AsyncIterableIterator<{ data: Release[] }> {
+  allReleases(params: { owner: string; repo: string }): AsyncIterable<{ data: Release[] }> {
     const updatedParams = { per_page: 100, ...params };
     return this.github.paginate.iterator(
       this.github.rest.repos.listReleases.endpoint.merge(updatedParams),
     );
   }
+
+  async listReleaseAssets(params: {
+    owner: string;
+    repo: string;
+    release_id: number;
+  }): Promise<Array<{ id: number; name: string; label?: string | null; [key: string]: any }>> {
+    return this.github.paginate(this.github.rest.repos.listReleaseAssets, {
+      ...params,
+      per_page: 100,
+    });
+  }
+
+  async deleteReleaseAsset(params: {
+    owner: string;
+    repo: string;
+    asset_id: number;
+  }): Promise<void> {
+    await this.github.rest.repos.deleteReleaseAsset(params);
+  }
+
+  async deleteRelease(params: { owner: string; repo: string; release_id: number }): Promise<void> {
+    await this.github.rest.repos.deleteRelease(params);
+  }
+
+  async updateReleaseAsset(params: {
+    owner: string;
+    repo: string;
+    asset_id: number;
+    name: string;
+    label: string;
+  }): Promise<{ data: any }> {
+    return await this.github.rest.repos.updateReleaseAsset(params);
+  }
+
+  async uploadReleaseAsset(params: {
+    url: string;
+    size: number;
+    mime: string;
+    token: string;
+    data: any;
+  }): Promise<{ status: number; data: any }> {
+    return this.github.request({
+      method: 'POST',
+      url: params.url,
+      headers: {
+        'content-length': `${params.size}`,
+        'content-type': params.mime,
+        authorization: `token ${params.token}`,
+      },
+      data: params.data,
+    });
+  }
 }
 
 export const asset = (path: string): ReleaseAsset => {
@@ -197,18 +287,21 @@ export const mimeOrDefault = (path: string): string => {
 
 export const upload = async (
   config: Config,
-  github: GitHub,
+  releaser: Releaser,
   url: string,
   path: string,
-  currentAssets: Array<{ id: number; name: string }>,
+  currentAssets: Array<{ id: number; name: string; label?: string | null }>,
 ): Promise<any> => {
   const [owner, repo] = config.github_repository.split('/');
   const { name, mime, size } = asset(path);
+  const releaseIdMatch = url.match(/\/releases\/(\d+)\/assets/);
+  const releaseId = releaseIdMatch ? Number(releaseIdMatch[1]) : undefined;
   const currentAsset = currentAssets.find(
     // note: GitHub renames asset filenames that have special characters, non-alphanumeric characters, and leading or trailing periods. The "List release assets" endpoint lists the renamed filenames.
     // due to this renaming we need to be mindful when we compare the file name we're uploading with a name github may already have rewritten for logical comparison
     // see https://docs.github.com/en/rest/releases/assets?apiVersion=2022-11-28#upload-a-release-asset
-    ({ name: currentName }) => currentName == alignAssetName(name),
+    ({ name: currentName, label: currentLabel }) =>
+      currentName === name || currentName === alignAssetName(name) || currentLabel === name,
   );
   if (currentAsset) {
     if (config.input_overwrite_files === false) {
@@ -216,7 +309,7 @@ export const upload = async (
       return null;
     } else {
       console.log(`♻️ Deleting previously uploaded asset ${name}...`);
-      await github.rest.repos.deleteReleaseAsset({
+      await releaser.deleteReleaseAsset({
         asset_id: currentAsset.id || 1,
         owner,
         repo,
@@ -226,18 +319,23 @@ export const upload = async (
   console.log(`⬆️ Uploading ${name}...`);
   const endpoint = new URL(url);
   endpoint.searchParams.append('name', name);
+  const uploadAsset = async () => {
     const fh = await open(path);
     try {
-    const resp = await github.request({
-      method: 'POST',
+      return await releaser.uploadReleaseAsset({
         url: endpoint.toString(),
-      headers: {
-        'content-length': `${size}`,
-        'content-type': mime,
-        authorization: `token ${config.github_token}`,
-      },
+        size,
+        mime,
+        token: config.github_token,
         data: fh.readableWebStream({ type: 'bytes' }),
       });
+    } finally {
+      await fh.close();
+    }
+  };
+
+  try {
+    const resp = await uploadAsset();
     const json = resp.data;
     if (resp.status !== 201) {
       throw new Error(
@@ -246,10 +344,67 @@ export const upload = async (
         }\n${json.message}\n${JSON.stringify(json.errors)}`,
       );
     }
+    if (json.name && json.name !== name && json.id) {
+      console.log(`✏️ Restoring asset label to ${name}...`);
+      try {
+        const { data } = await releaser.updateReleaseAsset({
+          owner,
+          repo,
+          asset_id: json.id,
+          name: json.name,
+          label: name,
+        });
+        console.log(`✅ Uploaded ${name}`);
+        return data;
+      } catch (error) {
+        console.warn(`error updating release asset label for ${name}: ${error}`);
+      }
+    }
     console.log(`✅ Uploaded ${name}`);
     return json;
-  } finally {
-    await fh.close();
+  } catch (error: any) {
+    const errorStatus = error?.status ?? error?.response?.status;
+    const errorData = error?.response?.data;
+
+    // Handle race conditions across concurrent workflows uploading the same asset.
+    if (
+      config.input_overwrite_files !== false &&
+      errorStatus === 422 &&
+      errorData?.errors?.[0]?.code === 'already_exists' &&
+      releaseId !== undefined
+    ) {
+      console.log(
+        `⚠️ Asset ${name} already exists (race condition), refreshing assets and retrying once...`,
+      );
+      const latestAssets = await releaser.listReleaseAssets({
+        owner,
+        repo,
+        release_id: releaseId,
+      });
+      const latestAsset = latestAssets.find(
+        ({ name: currentName }) => currentName == alignAssetName(name),
+      );
+      if (latestAsset) {
+        await releaser.deleteReleaseAsset({
+          owner,
+          repo,
+          asset_id: latestAsset.id,
+        });
+        const retryResp = await uploadAsset();
+        const retryJson = retryResp.data;
+        if (retryResp.status !== 201) {
+          throw new Error(
+            `Failed to upload release asset ${name}. received status code ${
+              retryResp.status
+            }\n${retryJson.message}\n${JSON.stringify(retryJson.errors)}`,
+          );
+        }
+        console.log(`✅ Uploaded ${name}`);
+        return retryJson;
+      }
+    }
+
+    throw error;
   }
 };
 
@@ -257,7 +412,7 @@ export const release = async (
   config: Config,
   releaser: Releaser,
   maxRetries: number = 3,
-): Promise<Release> => {
+): Promise<ReleaseResult> => {
   if (maxRetries <= 0) {
     console.log(`❌ Too many retries. Aborting...`);
     throw new Error('Too many retries.');
@@ -337,7 +492,10 @@ export const release = async (
       generate_release_notes,
       make_latest,
     });
-    return release.data;
+    return {
+      release: release.data,
+      created: false,
+    };
   } catch (error) {
     if (error.status !== 404) {
       console.log(
@@ -372,9 +530,10 @@ export const finalizeRelease = async (
   config: Config,
   releaser: Releaser,
   release: Release,
+  releaseWasCreated: boolean = false,
   maxRetries: number = 3,
 ): Promise<Release> => {
-  if (config.input_draft === true) {
+  if (config.input_draft === true || release.draft === false) {
     return release;
   }
 
@@ -389,17 +548,84 @@ export const finalizeRelease = async (
       owner,
       repo,
       release_id: release.id,
+      make_latest: config.input_make_latest,
     });
 
     return data;
-  } catch {
+  } catch (error) {
+    console.warn(`error finalizing release: ${error}`);
+
+    if (releaseWasCreated && release.draft && isTagCreationBlockedError(error)) {
+      let deleted = false;
+
+      try {
+        console.log(
+          `🧹 Deleting draft release ${release.id} for tag ${release.tag_name} because tag creation is blocked by repository rules...`,
+        );
+        await releaser.deleteRelease({
+          owner,
+          repo,
+          release_id: release.id,
+        });
+        deleted = true;
+      } catch (cleanupError) {
+        console.warn(`error deleting orphan draft release ${release.id}: ${cleanupError}`);
+      }
+
+      const cleanupResult = deleted
+        ? `Deleted draft release ${release.id} to avoid leaving an orphaned draft release.`
+        : `Failed to delete draft release ${release.id}; manual cleanup may still be required.`;
+      throw new Error(
+        `Tag creation for ${release.tag_name} is blocked by repository rules. ${cleanupResult}`,
+      );
+    }
+
     console.log(`retrying... (${maxRetries - 1} retries remaining)`);
-    return finalizeRelease(config, releaser, release, maxRetries - 1);
+    return finalizeRelease(config, releaser, release, releaseWasCreated, maxRetries - 1);
   }
 };
 
 /**
- * Finds a release by tag name from all a repository's releases.
+ * Lists assets belonging to a release.
+ *
+ * @param config - Release configuration as specified by user
+ * @param releaser - The GitHub API wrapper for release operations
+ * @param release - The existing release to be checked
+ * @param maxRetries - The maximum number of attempts
+ */
+export const listReleaseAssets = async (
+  config: Config,
+  releaser: Releaser,
+  release: Release,
+  maxRetries: number = 3,
+): Promise<Array<{ id: number; name: string; [key: string]: any }>> => {
+  if (maxRetries <= 0) {
+    console.log(`❌ Too many retries. Aborting...`);
+    throw new Error('Too many retries.');
+  }
+
+  const [owner, repo] = config.github_repository.split('/');
+  try {
+    const assets = await releaser.listReleaseAssets({
+      owner,
+      repo,
+      release_id: release.id,
+    });
+
+    return assets;
+  } catch (error) {
+    console.warn(`error listing assets of release: ${error}`);
+    console.log(`retrying... (${maxRetries - 1} retries remaining)`);
+    return listReleaseAssets(config, releaser, release, maxRetries - 1);
+  }
+};
+
+/**
+ * Finds a release by tag name.
+ *
+ * Uses the direct getReleaseByTag API for O(1) lookup instead of iterating
+ * through all releases. This also avoids GitHub's API pagination limit of
+ * 10000 results which would cause failures for repositories with many releases.
  *
  * @param releaser - The GitHub API wrapper for release operations
  * @param owner - The owner of the repository
@@ -413,16 +639,152 @@ export async function findTagFromReleases(
   repo: string,
   tag: string,
 ): Promise<Release | undefined> {
-  for await (const { data: releases } of releaser.allReleases({
+  try {
+    const { data: release } = await releaser.getReleaseByTag({ owner, repo, tag });
+    return release;
+  } catch (error) {
+    // Release not found (404) or other error - return undefined to allow creation
+    if (error.status === 404) {
+      return undefined;
+    }
+    // Re-throw unexpected errors
+    throw error;
+  }
+}
+
+const CREATED_RELEASE_DISCOVERY_RETRY_DELAY_MS = 1000;
+const RECENT_RELEASE_SCAN_PAGES = 2;
+
+async function sleep(ms: number): Promise<void> {
+  await new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function recentReleasesByTag(
+  releaser: Releaser,
+  owner: string,
+  repo: string,
+  tag: string,
+): Promise<Release[]> {
+  const matches: Release[] = [];
+  let pages = 0;
+
+  for await (const page of releaser.allReleases({ owner, repo })) {
+    matches.push(...page.data.filter((release) => release.tag_name === tag));
+    pages += 1;
+
+    if (pages >= RECENT_RELEASE_SCAN_PAGES) {
+      break;
+    }
+  }
+
+  return matches;
+}
+
+function pickCanonicalRelease(
+  releases: Release[],
+  releaseByTag: Release | undefined,
+): Release | undefined {
+  if (releaseByTag && releases.some((release) => release.id === releaseByTag.id)) {
+    return releaseByTag;
+  }
+
+  if (releases.length === 0) {
+    return releaseByTag;
+  }
+
+  return [...releases].sort((left, right) => {
+    if (left.draft !== right.draft) {
+      return Number(left.draft) - Number(right.draft);
+    }
+
+    return left.id - right.id;
+  })[0];
+}
+
+async function cleanupDuplicateDraftReleases(
+  releaser: Releaser,
+  owner: string,
+  repo: string,
+  tag: string,
+  canonicalReleaseId: number,
+  recentReleases: Release[],
+): Promise<void> {
+  for (const duplicate of recentReleases) {
+    if (duplicate.id === canonicalReleaseId || !duplicate.draft || duplicate.assets.length > 0) {
+      continue;
+    }
+
+    try {
+      console.log(`🧹 Removing duplicate draft release ${duplicate.id} for tag ${tag}...`);
+      await releaser.deleteRelease({
         owner,
         repo,
-  })) {
-    const release = releases.find((release) => release.tag_name === tag);
-    if (release) {
-      return release;
+        release_id: duplicate.id,
+      });
+    } catch (error) {
+      console.warn(`error deleting duplicate release ${duplicate.id}: ${error}`);
     }
   }
-  return undefined;
+}
+
+async function canonicalizeCreatedRelease(
+  releaser: Releaser,
+  owner: string,
+  repo: string,
+  tag: string,
+  createdRelease: Release,
+  maxRetries: number,
+): Promise<Release> {
+  const attempts = Math.max(maxRetries, 1);
+
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    let releaseByTag: Release | undefined;
+    try {
+      releaseByTag = await findTagFromReleases(releaser, owner, repo, tag);
+    } catch (error) {
+      console.warn(`error reloading release for tag ${tag}: ${error}`);
+    }
+
+    let recentReleases: Release[] = [];
+    try {
+      recentReleases = await recentReleasesByTag(releaser, owner, repo, tag);
+    } catch (error) {
+      console.warn(`error listing recent releases for tag ${tag}: ${error}`);
+    }
+
+    const canonicalRelease = pickCanonicalRelease(recentReleases, releaseByTag);
+    if (canonicalRelease) {
+      if (canonicalRelease.id !== createdRelease.id) {
+        console.log(
+          `↪️ Using release ${canonicalRelease.id} for tag ${tag} instead of duplicate draft ${createdRelease.id}`,
+        );
+      }
+
+      await cleanupDuplicateDraftReleases(
+        releaser,
+        owner,
+        repo,
+        tag,
+        canonicalRelease.id,
+        recentReleases,
+      );
+      return canonicalRelease;
+    }
+
+    if (attempt < attempts) {
+      console.log(
+        `Release ${createdRelease.id} is not yet discoverable by tag ${tag}, retrying... (${
+          attempts - attempt
+        } retries remaining)`,
+      );
+      await sleep(CREATED_RELEASE_DISCOVERY_RETRY_DELAY_MS);
+    }
+  }
+
+  console.log(
+    `⚠️ Continuing with newly created release ${createdRelease.id} because tag ${tag} is still not discoverable`,
+  );
+  return createdRelease;
 }
 
 async function createRelease(
@@ -434,11 +796,12 @@ async function createRelease(
   discussion_category_name: string | undefined,
   generate_release_notes: boolean | undefined,
   maxRetries: number,
-) {
+): Promise<ReleaseResult> {
   const tag_name = tag;
   const name = config.input_name || tag;
   const body = releaseBody(config);
   const prerelease = config.input_prerelease;
+  const draft = prerelease === true ? config.input_draft === true : true;
   const target_commitish = config.input_target_commitish;
   const make_latest = config.input_make_latest;
   let commitMessage: string = '';
@@ -447,20 +810,31 @@ async function createRelease(
   }
   console.log(`👩‍🏭 Creating new GitHub release for tag ${tag_name}${commitMessage}...`);
   try {
-    let release = await releaser.createRelease({
+    const createdRelease = await releaser.createRelease({
       owner,
       repo,
       tag_name,
       name,
       body,
-      draft: true,
+      draft,
       prerelease,
       target_commitish,
       discussion_category_name,
       generate_release_notes,
       make_latest,
     });
-    return release.data;
+    const canonicalRelease = await canonicalizeCreatedRelease(
+      releaser,
+      owner,
+      repo,
+      tag_name,
+      createdRelease.data,
+      maxRetries,
+    );
+    return {
+      release: canonicalRelease,
+      created: canonicalRelease.id === createdRelease.data.id,
+    };
   } catch (error) {
     // presume a race with competing matrix runs
     console.log(`⚠️ GitHub release failed with status: ${error.status}`);
@@ -496,3 +870,17 @@ async function createRelease(
     return release(config, releaser, maxRetries - 1);
   }
 }
+
+function isTagCreationBlockedError(error: any): boolean {
+  const errors = error?.response?.data?.errors;
+  if (!Array.isArray(errors) || error?.status !== 422) {
+    return false;
+  }
+
+  return errors.some(
+    ({ field, message }: { field?: string; message?: string }) =>
+      field === 'pre_receive' &&
+      typeof message === 'string' &&
+      message.includes('creations being restricted'),
+  );
+}

src/main.ts

@@ -1,6 +1,6 @@
 import { setFailed, setOutput } from '@actions/core';
 import { getOctokit } from '@actions/github';
-import { GitHubReleaser, release, finalizeRelease, upload } from './github';
+import { GitHubReleaser, release, finalizeRelease, upload, listReleaseAssets } from './github';
 import { isTag, parseConfig, paths, unmatchedPatterns, uploadUrl } from './util';
 
 import { env } from 'process';
@@ -49,7 +49,10 @@ async function run() {
     });
     //);
     const releaser = new GitHubReleaser(gh);
-    let rel = await release(config, releaser);
+    const releaseResult = await release(config, releaser);
+    let rel = releaseResult.release;
+    const releaseWasCreated = releaseResult.created;
+    let uploadedAssetIds: Set<number> = new Set();
     if (config.input_files && config.input_files.length > 0) {
       const files = paths(config.input_files, config.input_working_directory);
       if (files.length == 0) {
@@ -61,15 +64,12 @@ async function run() {
       }
       const currentAssets = rel.assets;
 
-      const uploadFile = async (path) => {
-        const json = await upload(config, gh, uploadUrl(rel.upload_url), path, currentAssets);
-        if (json) {
-          delete json.uploader;
-        }
-        return json;
+      const uploadFile = async (path: string) => {
+        const json = await upload(config, releaser, uploadUrl(rel.upload_url), path, currentAssets);
+        return json ? (json.id as number) : undefined;
       };
 
-      let results: (any | null)[];
+      let results: (number | undefined)[];
       if (!config.input_preserve_order) {
         results = await Promise.all(files.map(uploadFile));
       } else {
@@ -79,12 +79,28 @@ async function run() {
         }
       }
 
-      const assets = results.filter(Boolean);
-      setOutput('assets', assets);
+      uploadedAssetIds = new Set(results.filter((id): id is number => id !== undefined));
     }
 
     console.log('Finalizing release...');
-    rel = await finalizeRelease(config, releaser, rel);
+    rel = await finalizeRelease(config, releaser, rel, releaseWasCreated);
+
+    // Draft releases use temporary "untagged-..." URLs for assets.
+    // URLs will be changed to correct ones once the release is published.
+    console.log('Getting assets list...');
+    {
+      let assets: any[] = [];
+      if (uploadedAssetIds.size > 0) {
+        const updatedAssets = await listReleaseAssets(config, releaser, rel);
+        assets = updatedAssets
+          .filter((a) => uploadedAssetIds.has(a.id))
+          .map((a) => {
+            const { uploader, ...rest } = a;
+            return rest;
+          });
+      }
+      setOutput('assets', assets);
+    }
 
     console.log(`🎉 Release ready at ${rel.html_url}`);
     setOutput('url', rel.html_url);

tsconfig.json

@@ -45,7 +45,7 @@
     // "paths": {},                           /* A series of entries which re-map imports to lookup locations relative to the 'baseUrl'. */
     // "rootDirs": [],                        /* List of root folders whose combined content represents the structure of the project at runtime. */
     // "typeRoots": [],                       /* List of folders to include type definitions from. */
-    "types": ["vitest/globals"],
+    "types": ["node", "vitest/globals"],
     // "allowSyntheticDefaultImports": true,  /* Allow default imports from modules with no default export. This does not affect code emit, just typechecking. */
     "esModuleInterop": true                   /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
     // "preserveSymlinks": true,              /* Do not resolve the real path of symlinks. */