[8.8.0] Fix: Prevent GitHub 'Latest' badge regression on maintenance releases…

scripts/ci/build.sh

@@ -33,10 +33,9 @@ if ! command -v gsutil &>/dev/null; then
   echo "See https://cloud.google.com/sdk/downloads for instructions."
   exit 1
 fi
-if ! command -v github-release &>/dev/null; then
-  echo "Required tool 'github-release' not found. Download it from here:"
-  echo "https://github.com/c4milo/github-release/releases"
-  echo "Just extract the archive and put the binary on your PATH."
+if ! command -v gh &>/dev/null; then
+  echo "Required tool 'gh' (GitHub CLI) not found. Please install it:"
+  echo "See https://cli.github.com/ for instructions."
   exit 1
 fi
 if ! command -v debsign &>/dev/null; then
@@ -136,8 +135,8 @@ _Security_: All our binaries are signed with our
 '
 }
 
-# Deploy a github release using a third party tool:
-#   https://github.com/c4milo/github-release
+# Deploy a github release using the official GitHub CLI (gh):
+#   https://cli.github.com/
 # This methods expects the following arguments:
 #   $1..$n files generated by package_build (should not contains the README file)
 # Please set GITHUB_TOKEN to talk to the Github API.
@@ -150,13 +149,55 @@ function release_to_github() {
   local release_branch=$(get_release_branch)
 
   if [ -n "${release_name}" ]; then
-    local github_token="$(gsutil cat gs://bazel-trusted-encrypted-secrets/github-trusted-token.enc | \
+    local github_token
+    github_token="$(gsutil cat gs://bazel-trusted-encrypted-secrets/github-trusted-token.enc | \
         gcloud kms decrypt --project bazel-public --location global --keyring buildkite --key github-trusted-token --ciphertext-file - --plaintext-file -)"
-    if [ -z "${rc}" ]; then
-      GITHUB_TOKEN="${github_token}" github-release "bazelbuild/bazel" "${release_name}" "" "$(get_release_page)" "${artifact_dir}/*"
+
+    local latest_flag="true"
+    local prerelease_flag=""
+    local tag_to_deploy="${release_name}"
+
+    if [ -n "${rc}" ]; then
+      tag_to_deploy="${full_release_name}"
+      prerelease_flag="--prerelease"
+      latest_flag="false"
     else
-      GITHUB_TOKEN="${github_token}" github-release -prerelease "bazelbuild/bazel" "${full_release_name}" "${release_branch}" "$(get_release_page)" "${artifact_dir}/*"
+      echo "+++ Checking if ${release_name} should be marked as Latest"
+      # Query the current GitHub "latest" release to compare versions.
+      local current_latest_tag
+      if current_latest_tag=$(GH_TOKEN="${github_token}" gh release view --repo "bazelbuild/bazel" --json tagName --jq .tagName 2>/dev/null); then
+        if [[ -n "${current_latest_tag}" ]]; then
+          local highest
+          highest=$(printf '%s\n%s' "${current_latest_tag}" "${release_name}" | sort -V | tail -n 1)
+          if [[ "${release_name}" != "${highest}" ]]; then
+            echo "+++ Version ${release_name} is older than ${current_latest_tag}. Will NOT mark as latest."
+            latest_flag="false"
+          fi
+        fi
+      else
+        echo "+++ Warning: Could not determine current latest release tag. Will NOT mark as latest to be safe."
+        latest_flag="false"
+      fi
     fi
+
+    # Use a subshell so that the EXIT trap for temp file cleanup does not
+    # affect the outer script's traps.
+    (
+      notes_file="$(mktemp)"
+      trap 'rm -f "$notes_file"' EXIT
+      get_release_page > "$notes_file"
+
+      echo "+++ Deploying to GitHub (Tag: ${tag_to_deploy}, Latest: ${latest_flag})"
+
+      GH_TOKEN="${github_token}" gh release create "${tag_to_deploy}" \
+         "${artifact_dir}"/* \
+         --repo "bazelbuild/bazel" \
+         --target "${release_branch}" \
+         --title "${tag_to_deploy}" \
+         --notes-file "$notes_file" \
+         ${prerelease_flag} \
+         --latest="${latest_flag}"
+    )
   fi
 }
 
@@ -457,4 +498,3 @@ function deploy_release() {
   cp "${artifact_dir}"/* "${gcs_working_dir}"
   release_to_gcs "${gcs_working_dir}"
 }
-