workflows: replace softprops/action-gh-release with gh CLI (v22.21.1-profiler)

[harshita-gupta]

DO NOT MERGE until canary PR #20 (main) is validated

This is part of the rollout of the softprops → gh-CLI migration across all Asana/node branches. The canary PR on main (#20) must be merged and end-to-end validated first. Merging this PR before then risks landing a regression on a production release branch with no safety net.

Validation checklist to complete on main (#20) before touching this PR

Copy these into PR #20 when you work it:

• PR workflows: replace softprops/action-gh-release with gh CLI (main) #20 is merged into main.
• Manually trigger Build Node on main via workflow_dispatch. Both matrix arms (linux-x64, linux-arm64) succeed without a race failure on gh release create.
• The resulting release node-vX.Y.Z-release exists (or continues to exist) with title node-vX.Y.Z-LATEST, and both architecture archives appear as assets.
• Manually trigger Build Node-Packages on main. Assets appear; release title still correct.
• Manually trigger Build node-fibers with prebuilt Node on main. Assets appear; release title still correct.
• Manually trigger Build Node with options around OpenSSL dynamic linking and FIPS on main with appropriate BUILD_REF. Assets appear in the separate -fips-static-release release with the expected title.
• Byte-identity spot-check: compare sha256sum of an asset uploaded post-migration against one uploaded pre-migration on another branch — should match.
• No release-body or commitish drift observed in any of the above.

Only after all of those pass — mark this PR ready for review and merge.

Summary

Supply-chain hardening: softprops/action-gh-release is a single-maintainer third-party action pinned to the mutable @v1 tag. If that account is compromised or the tag is re-pointed, every workflow depending on it runs whatever the new code does. Replacing it with the first-party gh CLI (pre-installed on GitHub-hosted runners, maintained by GitHub) removes that dependency from the release-upload path.

Migrates all four release-upload call-sites on v22.21.1-profiler:

• .github/workflows/build-node.yml
• .github/workflows/build-node-fibers.yml
• .github/workflows/build-node-openssl-fips.yml
• .github/workflows/build-node-packages.yml

After this PR: zero references to softprops/action-gh-release on v22.21.1-profiler. The workflow files on this branch are byte-identical to v22.21.1, so this PR is a cherry-pick of the commit from #21.

Replacement shape

Each softprops step becomes:

- name: Upload <...> archive to release
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  run: |
    set -euo pipefail
    TAG="node-${NODE_VERSION}-release"
    RELEASE_NAME="node-${NODE_VERSION}-LATEST"
    FILE="<path-or-shell-expr>"
    if ! gh release view "$TAG" --repo "$REPO" >/dev/null 2>&1; then
      gh release create "$TAG" --title "$RELEASE_NAME" --notes "" --repo "$REPO" \
        || gh release view "$TAG" --repo "$REPO" >/dev/null
    fi
    gh release upload "$TAG" "$FILE" --clobber --repo "$REPO"
    gh release edit "$TAG" --title "$RELEASE_NAME" --repo "$REPO"

Each job gains REPO: ${{ github.repository }} in its job-level env:. build-node-openssl-fips.yml had no job-level env block previously; it gets a minimal one containing only REPO.

Divergence from main's post-migration shape

On main, build-node-packages.yml uses a simpler upload pattern (plain gh release upload --clobber, no view-or-create guard, no gh release edit --title), because it runs downstream of build-node.yml. On this branch the workflow is migrated with the full pattern (view-or-create + edit --title) to preserve the behavior softprops gave us: the release and title are re-asserted on every upload, including for standalone workflow_dispatch runs of packages. If you'd rather match main's simpler shape here, say so and I'll simplify.

Behavior deltas vs. softprops/action-gh-release@v1

See PR #20 for the full delta table. Summary: 7 no-op deltas, 3 covered by the replacement block (view-or-create, clobber, edit-title), 1 stricter-beneficial (missing-file fails loudly), 1 supply-chain benefit (the point of this work).

Post-merge test plan for this branch

• Manually trigger Build Node (Standard) on v22.21.1-profiler via workflow_dispatch. Assets appear in node-v22.21.1-release.
• Build Node-Packages runs (via workflow_run) or is dispatched. Assets appear.
• Build Custom Fibers runs or is dispatched. Assets appear.
• Build Node (FIPS) dispatched with BUILD_REF=v22.21.1-profiler or whatever ref is in use. Assets appear in node-v22.21.1-fips-release.
• Spot-check asset sha256sum matches pre-migration.