feat: mirror releases + install.sh to S3-compatible storage#41
Merged
Conversation
GitHub release URLs and raw.githubusercontent.com are unreachable for
many users in mainland China. Add an opt-in mirror so a domestic CDN can
serve binaries and the installer without exposing the URL in public docs.
- goreleaser.yml: after a release, upload dist/*.{tar.gz,zip} +
checksums.txt to s3://<bucket>/<prefix>/releases/download/<tag>/, then
write a plain-text releases/latest pointer (last, so a partial upload
doesn't advertise a broken version).
- install-sh.yml: on push to main, mirror install.sh to the same bucket.
- install.sh: add MIRROR_URL env var. When set, resolve_version reads
<MIRROR_URL>/releases/latest and downloads come from
<MIRROR_URL>/releases/download/<tag>/. Default behavior unchanged.
Validates the resolved tag (charset + leading-v shape) to block
garbage/path-traversal from a hostile mirror; sha256 against
checksums.txt is still required, so binary tampering is detected.
Both workflow steps skip silently when MIRROR_S3_BUCKET /
MIRROR_S3_ENDPOINT secrets are absent.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pre-existing whitespace drift in the TaskOperation const block — golangci-lint flagged it on this PR. Pure re-alignment, no semantic change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dist/*.{tar.gz,zip}+checksums.txtto an S3-compatible bucket and write a plain-textreleases/latestpointer.main, mirrorinstall.shto the same bucket.install.shlearns aMIRROR_URLenv var: when set, version resolution and binary downloads go through the mirror instead of github.com. Default behavior unchanged.Motivation: GitHub release URLs and
raw.githubusercontent.comare unreachable for many users in mainland China. This lets a domestic CDN serve everything without advertising the URL in public docs.Trust model
checksums.txt. A tampered binary is still caught —install.shcontinues to verify sha256 againstchecksums.txtafter download.checksums.txttogether with a tampered binary would not be caught by the script alone (same model as the existing GitHub flow); attestations stay on GitHub Releases.MIRROR_URLis required to behttps://. The resolved tag from<MIRROR_URL>/releases/latestis validated against a charset + leading-vshape so a hostile mirror cannot inject path traversal or shell metacharacters.Required secrets (skip silently if any of
MIRROR_S3_BUCKET/MIRROR_S3_ENDPOINTare unset)MIRROR_S3_ENDPOINT— e.g.https://cos.ap-shanghai.myqcloud.comMIRROR_S3_REGION— e.g.ap-shanghaiMIRROR_S3_BUCKETMIRROR_S3_ACCESS_KEY_IDMIRROR_S3_SECRET_ACCESS_KEYMIRROR_S3_PATH_PREFIX— optional, e.g.flashduty-runnerUsage (not in README on purpose)
Test plan
shellcheck -s sh install.sh+sh -n+bash -npassinstall-sh.ymlsmoke test (noMIRROR_URL) — regression check on the GitHub pathMIRROR_URLMIRROR_URL=http://...exits with a clear "https:// required" errorv0.0.5/../etc,v 0.0.5,v0.0.5;rm,garbage, empty; acceptsv0.0.5,v1.2.3-rc1,v1.2.3+build.1install.shonmain→ mirror job uploads →curl https://<cdn>/<prefix>/install.shreturns the filevX.Y.Z-rc.1→releases/download/<tag>/populated andreleases/latestcontains the tagcurl ...install.sh | sudo MIRROR_URL=... bash -s -- --no-service --version <tag>installs cleanly; logs show "Resolving latest release from mirror"checksums.txtin the mirror → install exits 4 (Checksum mismatch)🤖 Generated with Claude Code