Mirror releases + install scripts to S3 for GitHub-restricted hosts#12
Merged
Conversation
…osts Add an opt-in CDN mirror path so the CLI can be installed where github.com is unreachable, without exposing the mirror host in the repo: - release.yml: mirror release binaries + checksums.txt + a releases/latest pointer to an S3-compatible bucket (driven by MIRROR_S3_* secrets; skips when unset). - install-scripts.yml: lint install.sh and mirror install.sh + install.ps1 to the same bucket on push to main. - install.sh / install.ps1: honor MIRROR_URL to resolve the version pointer and download assets from the mirror instead of GitHub, with checksums.txt verification (warn-and-skip for pre-mirror releases) and release-tag validation on the network-resolved version. - .goreleaser.yml: pin the checksum file name to checksums.txt so the verification path has a stable asset name. The mirror host is supplied at call time via MIRROR_URL / the S3 secrets, so the billable CDN address is never published in the repo.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an opt-in CDN mirror so the CLI can be installed where
github.comis unreachable (e.g. mainland-China cloud hosts), mirroring the pattern already used inflashduty-runner. The mirror host is never published in the repo — it's supplied at call time viaMIRROR_URL/ theMIRROR_S3_*secrets, so the billable CDN address isn't exposed to scraping/abuse..github/workflows/release.yml— after GoReleaser, mirror*.tar.gz/*.zip/checksums.txtto an S3-compatible bucket at<PREFIX>/releases/download/<tag>/…and write a plain-text<PREFIX>/releases/latestpointer. Gated onMIRROR_S3_*secrets; skips cleanly when unset..github/workflows/install-scripts.yml(new) — shellcheck + parseinstall.sh, then mirrorinstall.sh+install.ps1to<PREFIX>/install.sh/<PREFIX>/install.ps1on push tomain.install.sh/install.ps1— honorMIRROR_URL: resolve the version pointer and download assets from the mirror instead of GitHub; verify againstchecksums.txt(warn-and-skip for the 18 pre-mirror releases that don't ship one); validate the network-resolved release tag before interpolating it into a URL..goreleaser.yml— pin checksum file name tochecksums.txt(matches the runner) so the verification path has a stable asset name going forward.Default behavior is unchanged: with no
MIRROR_URL, everything still installs straight from GitHub.Required follow-up (repo secrets)
The mirror is inert until these repo secrets are set (same names as
flashduty-runner):MIRROR_S3_ACCESS_KEY_ID,MIRROR_S3_SECRET_ACCESS_KEY,MIRROR_S3_REGION,MIRROR_S3_BUCKET,MIRROR_S3_ENDPOINT,MIRROR_S3_PATH_PREFIX(=flashduty-cli).Test plan
shellcheck -s sh install.sh+sh -n+bash -ncleanstatic.flashcat.cloud(or any mirror host) present in tracked filesreleases/latestland on the mirrorMIRROR_URL=<mirror> sh install.shinstalls end-to-end on a GitHub-blocked hostpwshparse / smoke ofinstall.ps1(couldn't run pwsh locally)