Revert "Revert "Add github action for publishing releases""

[strazto]

This reverts commit e3efd97.

From PR #39

[strazto]

@9p4 I've addressed the versioning comments, and pinned a ref to a commit, rather than the head of a main branch.
It should be sufficient to mitigate your concern about supply chain attacks - The current state of these actions is not malicious, and we can count on them remaining that way.

[strazto]

@9p4 @crobibero @Pfuenzle if any of yall feel up to reviewing this, please have at it!

Once this is merged, I will create some formal releases from the existing tags on github and the publish system should be set to transition over to being automated by the CI

[strazto]

Oh, @9p4 looks like you've configured a whitelist of actions -

https://github.com/9p4/jellyfin-plugin-sso/actions/runs/2525642835

fjogeleit/[email protected], oddstr13/jellyfin-plugin-repository-manager@master, softprops/action-gh-release@50195ba, and kevinjil/[email protected] are not allowed to be used in 9p4/jellyfin-plugin-sso. Actions in this workflow must be: within a repository owned by 9p4, created by GitHub, verified in the GitHub Marketplace, or matching the following: creyd/[email protected].

I'll give a review:

Doesn't use token:

• fjogeleit/[email protected],
• oddstr13/jellyfin-plugin-repository-manager@master,
  • I do notice that I somehow forgot to pin this

Uses token but I trust it at the pinned version:

• softprops/action-gh-release@50195ba,
• kevinjil/[email protected]

[strazto]

So specifically, pls whitelist:

fjogeleit/[email protected],oddstr13/jellyfin-plugin-repository-manager@b9e92867a6aa279d611a5ea80cf61f6358838c39,softprops/action-gh-release@50195ba7f6f93d1ac97ba8332a178e008ad176aa,kevinjil/[email protected]

[9p4]

Should be good

[strazto]

I don't think the ref for kevinjil/plugin action matches
The config I gave in the above code block should work

EDIT - nvm, I just changed the pinned ref from a tag to the commit hash