Implement "roborev update" command and tui new version notification, incidental fixes #8
Merged
Implement "roborev update" command and tui new version notification, incidental fixes #8
Conversation
- Add `roborev update` command to check for and install updates - Check GitHub releases API with 1-hour cache to avoid rate limits - Download platform-specific binaries (darwin/linux, arm64/amd64) - Verify SHA256 checksum if present in release notes - Show full transparency: URLs, sizes, checksums, progress - Auto-restart daemon after successful update - Add TUI notification when new version is available - Support --check flag to only check without installing - Support --yes flag to skip confirmation prompt Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add testHookAfterSecondCheck hook to WorkerPool for tests - Fix TestWorkerPoolCancelJobConcurrentRegister to use hook instead of relying on scheduler timing - Fix TestWorkerPoolCancelJobFinalCheckDeadlockSafe to use hook to ensure it exercises the "final check" code path Both tests now deterministically exercise the intended race condition scenarios instead of depending on timing. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Make guard check case-insensitive to handle RoboRev variant - Simplify line filtering to use single case-insensitive check - Add tests for: hook missing, no roborev content, roborev only (file removed), mixed content (preserves others), capitalized RoboRev Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security fixes: - Fix tar extraction path traversal vulnerability by sanitizing paths and rejecting absolute paths, .. components, and symlinks/hardlinks - Require checksum verification - refuse to install without checksum - Support SHA256SUMS file from release assets - Fix case-insensitive checksum regex, normalize to lowercase - Add timeout and error handling to daemon restart HTTP call - Add clear error message for Windows self-update limitations Tests: - Add tests for path sanitization (absolute, .., hidden traversal) - Add tests for tar extraction with malicious paths and symlinks - Add tests for checksum parsing (uppercase, mixed case, multiline) - Add tests for version comparison Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The loop `for _, a := range release.Assets` reuses the loop variable, so taking `&a` captured the same address on each iteration. Both asset and checksumsAsset would point to the last element of the slice. Fix by iterating by index and taking address of slice element directly. Extract findAssets helper function for testability. Add tests that verify correct asset selection from a multi-asset list, which would have caught this regression. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Collaborator
Author
|
cc @criccomini |
Generate checksums file during release workflow and upload it alongside the binary tarballs. This enables the update command to verify downloaded binaries. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The release workflow produces versioned filenames like roborev_0.3.0_darwin_arm64.tar.gz but the update code was looking for roborev_darwin_arm64.tar.gz (no version). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixed #7. Still some testing / QA needed