fix: Fetch hub-restyled to a temporary file during release.

iphydf · iphydf · commit 5de72052bd3d · 2026-02-16T23:05:01.000Z
Instead of downloading hub-restyled to the repository tree where it
might be accidentally committed, the release script now downloads it
to a temporary file if it's not already available in the PATH or
the script directory.
diff --git a/.github/workflows/release-deploy.yml b/.github/workflows/release-deploy.yml
@@ -48,11 +48,6 @@ jobs:
       - name: Link ci-tools
         if: github.repository == 'TokTok/ci-tools'
         run: ln -s .. third_party/ci-tools
-      - name: Download hub-restyled
-        run: |
-          mkdir -p third_party/ci-tools/tools
-          curl -sSL https://raw.githubusercontent.com/TokTok/hs-github-tools/master/tools/hub-restyled -o third_party/ci-tools/tools/hub-restyled
-          chmod +x third_party/ci-tools/tools/hub-restyled
       - name: Create GitHub actions identity
         run: third_party/ci-tools/tools/use_github_actions_identity.sh
       - name: Set up git upstream remote
diff --git a/tools/create_release.py b/tools/create_release.py
@@ -4,9 +4,12 @@
 import argparse
 import os
 import re
+import shutil
 import subprocess  # nosec
+import tempfile
 from dataclasses import dataclass
 
+import requests
 import create_tarballs
 import sign_release_assets
 import sign_tag
@@ -619,9 +622,29 @@ def stage_restyled(self, version: str, parent: stage.Stage) -> None:
         with stage.Stage("Restyled", "Applying restyled fixes", parent=parent) as s:
             script_dir = os.path.dirname(os.path.realpath(__file__))
             hub_restyled = os.path.join(script_dir, "hub-restyled")
+
+            downloaded = False
             if not os.path.exists(hub_restyled):
-                hub_restyled = "hub-restyled"
-            subprocess.run([hub_restyled], check=True)  # nosec
+                path_version = shutil.which("hub-restyled")
+                if path_version:
+                    hub_restyled = path_version
+                else:
+                    s.progress("Downloading hub-restyled")
+                    url = "https://raw.githubusercontent.com/TokTok/hs-github-tools/master/tools/hub-restyled"
+                    r = requests.get(url, timeout=60)
+                    r.raise_for_status()
+                    with tempfile.NamedTemporaryFile(delete=False) as f:
+                        f.write(r.content)
+                        hub_restyled = f.name
+                    os.chmod(hub_restyled, 0o755)
+                    downloaded = True
+
+            try:
+                subprocess.run([hub_restyled], check=True)  # nosec
+            finally:
+                if downloaded:
+                    os.unlink(hub_restyled)
+
             if self.git.is_clean():
                 raise s.fail("Failed to apply restyled changes")
             self.git.add(".")
