From 62693935d064698a58c51a4d8b3fb7132ac2714a Mon Sep 17 00:00:00 2001
From: Micheal Wilkinson <micheal.wilkinson@createfuture.com>
Date: Sat, 21 Mar 2026 20:07:45 +0000
Subject: [PATCH] fix(release): parse release id robustly and validate upload
 endpoint

Use JSON parsing for release id extraction in publish action instead of
regex matching, preventing wrong id selection from nested fields.
Add a pre-upload release endpoint check to fail early with explicit
release URL diagnostics when the resolved id/path is invalid.
---
 .gitea/workflows/prepare-release.yml |  9 +++++++++
 publish/action.yml                   | 26 ++++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/prepare-release.yml b/.gitea/workflows/prepare-release.yml
index efe0c87..e9efd29 100644
--- a/.gitea/workflows/prepare-release.yml
+++ b/.gitea/workflows/prepare-release.yml
@@ -275,6 +275,15 @@ jobs:
             exit 1
           fi
 
+          release_detail_api="${GITHUB_API_URL:-${GITHUB_SERVER_URL%/}/api/v1}/repos/${GITHUB_REPOSITORY}/releases/${release_id}"
+          if ! curl --fail-with-body -sS \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/json" \
+            "$release_detail_api" >/dev/null; then
+            echo "Resolved release endpoint is not accessible: ${release_detail_api}" >&2
+            exit 1
+          fi
+
           release_api="${GITHUB_API_URL:-${GITHUB_SERVER_URL%/}/api/v1}/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets"
 
           for asset in dist/*; do
diff --git a/publish/action.yml b/publish/action.yml
index 6f9bb8f..a131c33 100644
--- a/publish/action.yml
+++ b/publish/action.yml
@@ -44,6 +44,28 @@ runs:
       run: |
         set -euo pipefail
 
+        parse_release_id() {
+          local json_file="$1"
+
+          if command -v python3 >/dev/null 2>&1; then
+            python3 - "$json_file" <<'PY'
+import json
+import sys
+
+with open(sys.argv[1], 'r', encoding='utf-8') as fh:
+    payload = json.load(fh)
+
+value = payload.get('id')
+if isinstance(value, int):
+    print(value)
+PY
+            return
+          fi
+
+          # Fallback for environments without python3.
+          sed -n 's/.*"id"[[:space:]]*:[[:space:]]*\([0-9][0-9]*\).*/\1/p' "$json_file" | head -n 1
+        }
+
         provided="$(printf '%s' "${INPUT_VERSION:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
         if [[ -n "$provided" ]]; then
           normalized="${provided#v}"
@@ -121,7 +143,7 @@ runs:
           "${release_by_tag_api}")"
 
         if [[ "$status_code" == "200" ]]; then
-          existing_release_id="$(sed -n 's/.*"id"[[:space:]]*:[[:space:]]*\([0-9][0-9]*\).*/\1/p' release-existing.json | head -n 1)"
+          existing_release_id="$(parse_release_id release-existing.json)"
           if [[ -z "$existing_release_id" ]]; then
             echo "Failed to parse existing release id for ${TAG_NAME}" >&2
             cat release-existing.json >&2
@@ -156,7 +178,7 @@ runs:
             exit 1
           fi
 
-          release_id="$(sed -n 's/.*"id"[[:space:]]*:[[:space:]]*\([0-9][0-9]*\).*/\1/p' release.json | head -n 1)"
+          release_id="$(parse_release_id release.json)"
           if [[ -z "$release_id" ]]; then
             echo "Failed to parse release id from API response" >&2
             cat release.json >&2