Add support for files with spaces in their names (#24)

So far when uploading files containing spaces, such as `file 3.txt`, the `tea` command will be broken due to incorrectly formatted `tea` arguments.
I have been receiving `Remote repository required: Specify ID via --repo or execute from a local git repo.` which was not helpful until I turned on `verbose` and saw the whole command.

This fix should resolve this issue and thereby add active support for files with spaces.

Co-authored-by: Felix Kröner <felix.kroener@dynamic-biosensors.com>
Reviewed-on: https://code.forgejo.org/actions/forgejo-release/pulls/24
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Crown0815 <crown0815@noreply.code.forgejo.org>
Co-committed-by: Crown0815 <crown0815@noreply.code.forgejo.org>

.gitignore

@@ -1 +1,2 @@
 *~
+.idea

forgejo-release.sh

@@ -22,43 +22,48 @@ if ${VERBOSE:-false}; then set -x; fi
 export GNUPGHOME
 
 setup_tea() {
-    if ! test -f $BIN_DIR/tea ; then
-	ARCH=$(dpkg --print-architecture)
-	curl -sL https://dl.gitea.io/tea/$TEA_VERSION/tea-$TEA_VERSION-linux-$ARCH > $BIN_DIR/tea
-	chmod +x $BIN_DIR/tea
+    if ! test -f "$BIN_DIR"/tea ; then
+    ARCH=$(dpkg --print-architecture)
+    curl -sL https://dl.gitea.io/tea/$TEA_VERSION/tea-$TEA_VERSION-linux-"$ARCH" > "$BIN_DIR"/tea
+    chmod +x "$BIN_DIR"/tea
     fi
 }
 
 ensure_tag() {
-    if api GET repos/$REPO/tags/$TAG > $TMP_DIR/tag.json ; then
-	local sha=$(jq --raw-output .commit.sha < $TMP_DIR/tag.json)
-	if test "$sha" != "$SHA" ; then
-	    cat $TMP_DIR/tag.json
-	    echo "the tag SHA in the $REPO repository does not match the tag SHA that triggered the build: $SHA"
-	    false
-	fi
+    if api GET repos/$REPO/tags/"$TAG" > "$TMP_DIR"/tag.json ; then
+    local sha=$(jq --raw-output .commit.sha < "$TMP_DIR"/tag.json)
+    if test "$sha" != "$SHA" ; then
+        cat "$TMP_DIR"/tag.json
+        echo "the tag SHA in the $REPO repository does not match the tag SHA that triggered the build: $SHA"
+        false
+    fi
     else
-	api POST repos/$REPO/tags --data-raw '{"tag_name": "'$TAG'", "target": "'$SHA'"}'
+    api POST repos/$REPO/tags --data-raw '{"tag_name": "'"$TAG"'", "target": "'"$SHA"'"}'
     fi
 }
 
 upload_release() {
-    local assets=$(ls $RELEASE_DIR/* | sed -e 's/^/-a /')
+    # assets is defined as a list of arguments, where values may contain whitespace and need to be quoted like this -a "my file.txt" -a "file.txt".
+    # It is expanded using "${assets[@]}" which preserves the separation of arguments and not split whitespace containing values.
+    # For reference, see https://github.com/koalaman/shellcheck/wiki/SC2086#exceptions
+    local assets=()
+    for file in "$RELEASE_DIR"/*; do
+        assets=("${assets[@]}" -a "$file")
+    done
     if $PRERELEASE || echo "${TAG}" | grep -qi '\-rc' ; then
-        releasetype="--prerelease"
+        releaseType="--prerelease"
         echo "Uploading as Pre-Release"
     else
         echo "Uploading as Stable"
     fi
     ensure_tag
-    anchor=$(echo $TAG | sed -e 's/^v//' -e 's/[^a-zA-Z0-9]/-/g')
-    if ! $BIN_DIR/tea release create $assets --repo $REPO --note "$RELEASENOTES" --tag $TAG --title "$TITLE" --draft ${releasetype} >& $TMP_DIR/tea.log ; then
-        if grep --quiet 'Unknown API Error: 500' $TMP_DIR/tea.log && grep --quiet services/release/release.go:194 $TMP_DIR/tea.log ; then
+    if ! "$BIN_DIR"/tea release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType} >& "$TMP_DIR"/tea.log ; then
+        if grep --quiet 'Unknown API Error: 500' "$TMP_DIR"/tea.log && grep --quiet services/release/release.go:194 "$TMP_DIR"/tea.log ; then
             echo "workaround v1.20 race condition https://codeberg.org/forgejo/forgejo/issues/1370"
             sleep 10
-            $BIN_DIR/tea release create $assets --repo $REPO --note "$RELEASENOTES" --tag $TAG --title "$TITLE" --draft ${releasetype}
+            "$BIN_DIR"/tea release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType}
         else
-            cat $TMP_DIR/tea.log
+            cat "$TMP_DIR"/tea.log
             return 1
         fi
     fi
@@ -69,52 +74,52 @@ upload_release() {
 release_draft() {
     local state="$1"
 
-    local id=$(api GET repos/$REPO/releases/tags/$TAG | jq --raw-output .id)
+    local id=$(api GET repos/$REPO/releases/tags/"$TAG" | jq --raw-output .id)
 
-    api PATCH repos/$REPO/releases/$id --data-raw '{"draft": '$state', "hide_archive_links": '$HIDE_ARCHIVE_LINK'}'
+    api PATCH repos/$REPO/releases/"$id" --data-raw '{"draft": '"$state"', "hide_archive_links": '$HIDE_ARCHIVE_LINK'}'
 }
 
 maybe_use_release_note_assistant() {
     if "$RELEASE_NOTES_ASSISTANT"; then
         curl --fail -s -S -o rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/v1.2.3/release-notes-assistant
         chmod +x ./rna
-        ./rna --storage release --storage-location $TAG --forgejo-url $SCHEME://placeholder:$TOKEN@$HOST --repository $REPO --token $TOKEN release $TAG
+        ./rna --storage release --storage-location "$TAG" --forgejo-url "$SCHEME"://placeholder:"$TOKEN"@"$HOST" --repository $REPO --token "$TOKEN" release "$TAG"
     fi
 }
 
 sign_release() {
     local passphrase
     if test -s "$GPG_PASSPHRASE"; then
-	passphrase="--passphrase-file $GPG_PASSPHRASE"
+    passphrase="--passphrase-file $GPG_PASSPHRASE"
     fi
     gpg --import --no-tty --pinentry-mode loopback $passphrase "$GPG_PRIVATE_KEY"
-    for asset in $RELEASE_DIR/* ; do
-	if [[ $asset =~ .sha256$ ]] ; then
-	    continue
-	fi
-	gpg --armor --detach-sign --no-tty --pinentry-mode loopback $passphrase < $asset > $asset.asc
+    for asset in "$RELEASE_DIR"/* ; do
+    if [[ $asset =~ .sha256$ ]] ; then
+        continue
+    fi
+    gpg --armor --detach-sign --no-tty --pinentry-mode loopback $passphrase < "$asset" > "$asset".asc
     done
 }
 
 maybe_sign_release() {
     if test -s "$GPG_PRIVATE_KEY"; then
-	sign_release
+    sign_release
     fi
 }
 
 maybe_override() {
     if test "$OVERRIDE" = "false"; then
-	return
+    return
     fi
-    api DELETE repos/$REPO/releases/tags/$TAG >& /dev/null || true
-    api DELETE repos/$REPO/tags/$TAG >& /dev/null || true
+    api DELETE repos/$REPO/releases/tags/"$TAG" >& /dev/null || true
+    api DELETE repos/$REPO/tags/"$TAG" >& /dev/null || true
 }
 
 upload() {
     setup_api
     setup_tea
     rm -f ~/.config/tea/config.yml
-    GITEA_SERVER_TOKEN=$TOKEN $BIN_DIR/tea login add --url $FORGEJO
+    GITEA_SERVER_TOKEN=$TOKEN "$BIN_DIR"/tea login add --url $FORGEJO
     maybe_sign_release
     maybe_override
     upload_release
@@ -122,8 +127,8 @@ upload() {
 
 setup_api() {
     if ! which jq curl ; then
-	apt-get -qq update
-	apt-get install -y -qq jq curl
+    apt-get -qq update
+    apt-get install -y -qq jq curl
     fi
 }
 
@@ -133,46 +138,46 @@ api() {
     path=$1
     shift
 
-    curl --fail -X $method -sS -H "Content-Type: application/json" -H "Authorization: token $TOKEN" "$@" $FORGEJO/api/v1/$path
+    curl --fail -X "$method" -sS -H "Content-Type: application/json" -H "Authorization: token $TOKEN" "$@" $FORGEJO/api/v1/"$path"
 }
 
 wait_release() {
     local ready=false
     for i in $(seq $RETRY); do
-	if api GET repos/$REPO/releases/tags/$TAG | jq --raw-output .draft > $TMP_DIR/draft; then
-	    if test "$(cat $TMP_DIR/draft)" = "false"; then
-		ready=true
-		break
-	    fi
-	    echo "release $TAG is still a draft"
-	else
-	    echo "release $TAG does not exist yet"
-	fi
-	echo "waiting $DELAY seconds"
-	sleep $DELAY
+    if api GET repos/$REPO/releases/tags/"$TAG" | jq --raw-output .draft > "$TMP_DIR"/draft; then
+        if test "$(cat "$TMP_DIR"/draft)" = "false"; then
+        ready=true
+        break
+        fi
+        echo "release $TAG is still a draft"
+    else
+        echo "release $TAG does not exist yet"
+    fi
+    echo "waiting $DELAY seconds"
+    sleep $DELAY
     done
     if ! $ready ; then
-	echo "no release for $TAG"
-	return 1
+    echo "no release for $TAG"
+    return 1
     fi
 }
 
 download() {
     setup_api
     (
-	mkdir -p $RELEASE_DIR
-	cd $RELEASE_DIR
+    mkdir -p $RELEASE_DIR
+    cd $RELEASE_DIR
     if [[ ${DOWNLOAD_LATEST} == "true" ]] ; then
         echo "Downloading the latest release"
-        api GET repos/$REPO/releases/latest > $TMP_DIR/assets.json
+        api GET repos/$REPO/releases/latest > "$TMP_DIR"/assets.json
     elif [[ ${DOWNLOAD_LATEST} == "false" ]] ; then
         wait_release
         echo "Downloading tagged release ${TAG}"
-	    api GET repos/$REPO/releases/tags/$TAG > $TMP_DIR/assets.json
+        api GET repos/$REPO/releases/tags/"$TAG" > "$TMP_DIR"/assets.json
     fi
-	jq --raw-output '.assets[] | "\(.name) \(.browser_download_url)"' < $TMP_DIR/assets.json | while read name url ; do
-	    curl --fail -H "Authorization: token $TOKEN" -o $name -L $url
-	done
+     jq --raw-output '.assets[] | "\(.browser_download_url) \(.name)"' < "$TMP_DIR"/assets.json | while read url name  ; do  # `name` may contain whitespace, therefore, it must be last
+       curl --fail -H "Authorization: token $TOKEN" -o "$name" -L "$url"
+     done
     )
 }
 

testdata/upload-download/upload-dir/file 3.txt

@@ -0,0 +1 @@
+FILE3