chore: replace softprops/action-gh-release with gh CLI in pack-tutorials workflow

[andreatgretel]

Priority Level

Medium

Task Summary

pack-tutorials.yml uses softprops/action-gh-release@v2 (mutable tag) to upload tutorial archives to GitHub releases. This action is maintained by a single person on a personal GitHub account and has no security policy.

Mutable version tags on third-party actions are a known supply chain risk vector - the same class of issue behind CVE-2025-30066 (tj-actions/changed-files compromise).

Additionally, the action is still on Node.js 20 with no node24-compatible release. GitHub will force Node.js 24 on June 2, 2026 and remove Node.js 20 on September 16, 2026.

Technical Details & Implementation Plan

Replace the third-party action with a gh release upload step in pack-tutorials.yml:

- name: Upload tutorial archive to release
  env:
    GH_TOKEN: ${{ github.token }}
  run: gh release upload "${{ steps.get_release.outputs.tag }}" "${{ env.ZIP_FILE_NAME }}"

gh is pre-installed on all GitHub-hosted runners. This eliminates the third-party dependency entirely.

Dependencies

Blocked by #450 (Node.js 24 action upgrades) - should be addressed together or after that PR merges.

[JiwaniZakir]

The core risk here is the use of a mutable tag (@v2) on a third-party action owned by a single maintainer — if that tag is force-pushed to a malicious commit, the workflow executes attacker-controlled code with GITHUB_TOKEN permissions, exactly the attack surface exploited in CVE-2025-30066. The relevant block is in pack-tutorials.yml at lines 68–73. The gh CLI replacement is a clean solution since it's part of the GitHub-hosted runner environment and uses the built-in github.token, removing the external trust dependency entirely. Worth noting the Node.js 20 deprecation deadline (September 16, 2026) adds urgency independent of the supply chain concern, so coordinating with #450 makes sense to avoid touching the file twice.