Rewrite asset deploy.

This switches to `gh` which is the more modern CLI, and also
available by default which removes the old installer script.

This also tightens the scope where GITHUB_TOKEN is exposed to just
the step where `gh` is executed.

Finally, it tightens the permissions on the GITHUB_TOKEN (though
`contents: write` is extremely permissive, since that allows writing to
almost anything in the repo).

Author: ehuss

.github/workflows/deploy.yml

@@ -7,6 +7,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: write
+
 jobs:
   release:
     name: Deploy Release
@@ -32,14 +35,14 @@ jobs:
             os: windows-latest
     steps:
     - uses: actions/checkout@master
-    - name: Install hub
-      run: ci/install-hub.sh ${{ matrix.os }}
     - name: Install Rust
       run: ci/install-rust.sh stable ${{ matrix.target }}
-    - name: Build and deploy artifacts
+    - name: Build asset
+      run: ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }}
+    - name: Update release with new asset
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }}
+      run: gh release upload $MDBOOK_TAG $MDBOOK_ASSET
   pages:
     name: GitHub Pages
     runs-on: ubuntu-latest

ci/install-hub.sh

@@ -44,9 +44,10 @@ case $1 in
 esac
 cd ../..
 
-if [[ -z "$GITHUB_TOKEN" ]]
+if [[ -z "$GITHUB_ENV" ]]
 then
-  echo "$GITHUB_TOKEN not set, skipping deploy."
+  echo "GITHUB_ENV not set, run: gh release upload $TAG target/$asset"
 else
-  hub release edit -m "" --attach $asset $TAG
+  echo "MDBOOK_TAG=$TAG" >> $GITHUB_ENV
+  echo "MDBOOK_ASSET=target/$asset" >> $GITHUB_ENV
 fi