Search code, repositories, users, issues, pull requests...

3.0.1

maintenance release with updated dependencies

`v3.0.0`

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄

Move the action runtime and bundle target to Node 24
Update @types/node to the Node 24 line and allow future Dependabot updates
Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

`v3`

`v2.6.2`

What's Changed

Other Changes 🔄

chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @dependabot[bot] in #775
chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @dependabot[bot] in #777
chore(deps): bump vite from 8.0.0 to 8.0.5 by @dependabot[bot] in #781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

`v2.6.1`

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

fix: preserve discussion category on publish by @chenrui333 in #765

`v2.6.0`

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

feat: support previous_tag for generate_release_notes by @pocesar in #372

Bug fixes 🐛

fix: recover concurrent asset metadata 404s by @chenrui333 in #760

Other Changes 🔄

docs: clarify reused draft release behavior by @chenrui333 in #759
docs: clarify working_directory input by @chenrui333 in #761
ci: verify dist bundle freshness by @chenrui333 in #762
fix: clarify immutable prerelease uploads by @chenrui333 in #763

`v2.5.3`

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

fix: prefer token input over GITHUB_TOKEN by @chenrui333 in #751
fix: clean up duplicate drafts after canonicalization by @chenrui333 in #753
fix: support Windows-style file globs by @chenrui333 in #754
fix: normalize refs-tag inputs by @chenrui333 in #755
fix: expand tilde file paths by @chenrui333 in #756

Other Changes 🔄

docs: clarify token precedence by @chenrui333 in #752
docs: clarify GitHub release limits by @chenrui333 in #758
documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

`v2.5.2`

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

fix: canonicalize releases after concurrent create by @chenrui333 in #746
fix: preserve prereleased events for prereleases by @chenrui333 in #748
fix: restore dotfile asset labels by @chenrui333 in #749
fix: handle upload already_exists races across workflows by @api2062 in #745
fix: clean up orphan drafts when tag creation is blocked by @chenrui333 in #750

New Contributors

@api2062 made their first contribution in #745

Full Changelog: softprops/action-gh-release@v2...v2.5.2

`v2.5.1`

actions/softprops/action-gh-release

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛

fix: fetch correct asset URL after finalization; test; some refactoring by @pzhlkj6612 in #738
fix: release marked as 'latest' despite make_latest: false by @Boshen in #715
fix: use getReleaseByTag API instead of iterating all releases by @kim-em in #725

Other Changes 🔄

dependency updates, including the ESM/runtime compatibility refresh in #731

New Contributors

@autarch made their first contribution in #716
@pzhlkj6612 made their first contribution in #738
@Boshen made their first contribution in #715
@kim-em made their first contribution in #725

Full Changelog: softprops/action-gh-release@v2...v2.5.1

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-04-12T09:48:08Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

718ea10b132b3b2eba29c1007bb80653f286566b

🟢 5.5

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 1/16 approved changesets -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	19 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 10	all dependencies are pinned
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	⚠️ 0	security policy file not detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

Scanned Files

.github/workflows/push-tag.yml

sonarqubecloud · 2026-05-01T19:56:10Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2026-05-28T15:44:30Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2026-06-13T16:12:47Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2026-06-19T15:48:05Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code