fix: harden master auto deploy artifact delivery

.github/scripts/deploy_windows_winrm.py

@@ -31,10 +31,7 @@ def main() -> int:
     password = require_env("KK_DEPLOY_PASSWORD")
     deploy_root = optional_env("KK_DEPLOY_ROOT", r"C:\kkFileView-5.0")
     health_url = optional_env("KK_DEPLOY_HEALTH_URL", "http://127.0.0.1:8012/")
-    artifact_name = optional_env("KK_DEPLOY_ARTIFACT_NAME", "kkfileview-server-jar")
-    repository = require_env("GITHUB_REPOSITORY_NAME")
-    run_id = require_env("GITHUB_RUN_ID_VALUE")
-    artifact_token = require_env("KK_DEPLOY_ARTIFACT_TOKEN")
+    artifact_url = require_env("KK_DEPLOY_ARTIFACT_URL")
     dry_run = optional_env("KK_DEPLOY_DRY_RUN", "false").lower()
 
     script_path = pathlib.Path(__file__).with_name("remote_windows_deploy.ps1")
@@ -77,16 +74,17 @@ $ErrorActionPreference = 'Stop'
 $raw = Get-Content -LiteralPath '{ps_quote(remote_b64_path)}' -Raw
 [System.IO.File]::WriteAllBytes('{ps_quote(remote_ps1_path)}', [Convert]::FromBase64String($raw))
 try {{
+  $env:KK_DEPLOY_ARTIFACT_URL = '{ps_quote(artifact_url)}'
+  $env:KK_DEPLOY_ROOT = '{ps_quote(deploy_root)}'
+  $env:KK_DEPLOY_HEALTH_URL = '{ps_quote(health_url)}'
+  $env:KK_DEPLOY_DRY_RUN = '{ps_quote(dry_run)}'
   powershell -NoProfile -ExecutionPolicy Bypass -File '{ps_quote(remote_ps1_path)}' `
-    -Repository '{ps_quote(repository)}' `
-    -RunId '{ps_quote(run_id)}' `
-    -ArtifactName '{ps_quote(artifact_name)}' `
-    -GitHubToken '{ps_quote(artifact_token)}' `
-    -DeployRoot '{ps_quote(deploy_root)}' `
-    -HealthUrl '{ps_quote(health_url)}' `
-    -DryRun '{ps_quote(dry_run)}'
   $code = $LASTEXITCODE
 }} finally {{
+  Remove-Item Env:KK_DEPLOY_ARTIFACT_URL -ErrorAction SilentlyContinue
+  Remove-Item Env:KK_DEPLOY_ROOT -ErrorAction SilentlyContinue
+  Remove-Item Env:KK_DEPLOY_HEALTH_URL -ErrorAction SilentlyContinue
+  Remove-Item Env:KK_DEPLOY_DRY_RUN -ErrorAction SilentlyContinue
   Remove-Item '{ps_quote(remote_b64_path)}' -Force -ErrorAction SilentlyContinue
   Remove-Item '{ps_quote(remote_ps1_path)}' -Force -ErrorAction SilentlyContinue
 }}

.github/scripts/remote_windows_deploy.ps1

@@ -1,13 +1,3 @@
-param(
-    [Parameter(Mandatory = $true)][string]$Repository,
-    [Parameter(Mandatory = $true)][string]$RunId,
-    [Parameter(Mandatory = $true)][string]$ArtifactName,
-    [Parameter(Mandatory = $true)][string]$GitHubToken,
-    [Parameter(Mandatory = $true)][string]$DeployRoot,
-    [Parameter(Mandatory = $true)][string]$HealthUrl,
-    [string]$DryRun = 'false'
-)
-
 $ErrorActionPreference = 'Stop'
 
 function Write-Step {
@@ -15,6 +5,36 @@ function Write-Step {
     Write-Host "==> $Message"
 }
 
+function Get-RequiredEnv {
+    param([string]$Name)
+
+    $Value = [Environment]::GetEnvironmentVariable($Name)
+    if ([string]::IsNullOrWhiteSpace($Value)) {
+        throw "Missing required environment variable: $Name"
+    }
+
+    return $Value
+}
+
+function Get-OptionalEnv {
+    param(
+        [string]$Name,
+        [string]$DefaultValue
+    )
+
+    $Value = [Environment]::GetEnvironmentVariable($Name)
+    if ([string]::IsNullOrWhiteSpace($Value)) {
+        return $DefaultValue
+    }
+
+    return $Value
+}
+
+$ArtifactDownloadUrl = Get-RequiredEnv 'KK_DEPLOY_ARTIFACT_URL'
+$DeployRoot = Get-OptionalEnv 'KK_DEPLOY_ROOT' 'C:\kkFileView-5.0'
+$HealthUrl = Get-OptionalEnv 'KK_DEPLOY_HEALTH_URL' 'http://127.0.0.1:8012/'
+$DryRun = Get-OptionalEnv 'KK_DEPLOY_DRY_RUN' 'false'
+
 $BinDir = Join-Path $DeployRoot 'bin'
 $StartupScript = Join-Path $BinDir 'startup.bat'
 $ReleaseDir = Join-Path $DeployRoot 'releases'
@@ -63,33 +83,33 @@ if (Test-Path $ExtractDir) {
     Remove-Item $ExtractDir -Recurse -Force
 }
 
-$Headers = @{
-    Authorization = "Bearer $GitHubToken"
-    Accept = "application/vnd.github+json"
-    "X-GitHub-Api-Version" = "2022-11-28"
-    "User-Agent" = "kkFileView-auto-deploy"
+Write-Step 'Downloading workflow artifact via signed URL'
+$PreviousProgressPreference = $ProgressPreference
+$ProgressPreference = 'SilentlyContinue'
+try {
+    Invoke-WebRequest -Uri $ArtifactDownloadUrl -OutFile $ArtifactZip -UseBasicParsing -TimeoutSec 120
+} finally {
+    $ProgressPreference = $PreviousProgressPreference
 }
 
-$ArtifactsApi = "https://api.github.com/repos/$Repository/actions/runs/$RunId/artifacts"
-Write-Step "Resolving workflow artifact: $ArtifactName"
-$ArtifactsResponse = Invoke-RestMethod -Headers $Headers -Uri $ArtifactsApi -Method Get
-$Artifact = $ArtifactsResponse.artifacts | Where-Object { $_.name -eq $ArtifactName } | Select-Object -First 1
-
-if (-not $Artifact) {
-    throw "Artifact '$ArtifactName' not found for workflow run $RunId"
+if (-not (Test-Path $ArtifactZip)) {
+    throw "Artifact zip was not created: $ArtifactZip"
+}
+
+$ArtifactZipInfo = Get-Item $ArtifactZip
+if ($ArtifactZipInfo.Length -le 0) {
+    throw "Downloaded artifact zip is empty: $ArtifactZip"
 }
 
-Write-Step "Downloading artifact from GitHub Actions"
-Invoke-WebRequest -Headers $Headers -Uri $Artifact.archive_download_url -OutFile $ArtifactZip
 Expand-Archive -LiteralPath $ArtifactZip -DestinationPath $ExtractDir -Force
 
 $DownloadedJars = Get-ChildItem $ExtractDir -Filter 'kkFileView-*.jar' -Recurse
 if (-not $DownloadedJars) {
-    throw "No kkFileView jar found inside artifact '$ArtifactName'"
+    throw 'No kkFileView jar found inside downloaded workflow artifact'
 }
 
 if ($DownloadedJars.Count -ne 1) {
-    throw "Expected exactly one kkFileView jar inside artifact '$ArtifactName', found $($DownloadedJars.Count)"
+    throw "Expected exactly one kkFileView jar inside downloaded workflow artifact, found $($DownloadedJars.Count)"
 }
 
 $DownloadedJar = $DownloadedJars[0]