Skip to content

Add roborev release discovery support#9

Closed
cpcloud wants to merge 1 commit into
mainfrom
codex/roborev-release-kit-plan
Closed

Add roborev release discovery support#9
cpcloud wants to merge 1 commit into
mainfrom
codex/roborev-release-kit-plan

Conversation

@cpcloud
Copy link
Copy Markdown
Contributor

@cpcloud cpcloud commented Jun 2, 2026

Summary

  • Add a selfupdate mode that follows GitHub's HTML /releases/latest redirect and constructs release download URLs from the discovered tag.
  • Add a tar.gz asset namer for release layouts that publish tarballs on every platform, including Windows.
  • Add a handoff plan for migrating roborev's internal updater onto kit.

Validation

  • go build ./...
  • go tool gotestsum --format pkgname-and-test-fails -- ./...
  • go vet ./...
  • go run ./cmd/testify-helper-check ./...
  • go tool nilaway -include-pkgs=go.kenn.io/kit ./...
  • nix run 'nixpkgs#golangci-lint' -- run

@cpcloud @codex
Add roborev release discovery support
ee02f07 
Roborev resolves releases through GitHub's HTML /releases/latest redirect to avoid unauthenticated api.github.com rate limits, then constructs asset and checksum URLs from the discovered tag. Kit's selfupdate package only supported API release discovery, so roborev could not migrate without either changing updater behavior or duplicating that redirect path.

Add a configurable redirect discovery mode and tar.gz asset namer so roborev can keep its existing release layout, including tar.gz Windows artifacts, while moving checksum, download, and install logic into kit. The plan file captures the follow-on roborev migration for a separate Codex worker.

Validation:
- go build ./...
- go tool gotestsum --format pkgname-and-test-fails -- ./...
- go vet ./...
- go run ./cmd/testify-helper-check ./...
- go tool nilaway -include-pkgs=go.kenn.io/kit ./...
- nix run 'nixpkgs#golangci-lint' -- run

Generated with Codex
Co-authored-by: OpenAI Codex <noreply@openai.com>
@cpcloud
Copy link
Copy Markdown
Contributor Author

cpcloud commented Jun 2, 2026

This is not right just yet.

@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Jun 2, 2026

roborev: Combined Review (ee02f07)

Verdict: One medium issue needs attention; no high or critical findings were reported.

Medium

  • selfupdate/selfupdate.go:1135 - Redirect discovery builds release download, checksum, and signature URLs by interpolating the raw tag and asset name into the path. Valid GitHub tags can contain /, so a redirect tag like cli/v1.2.0 becomes /releases/download/cli/v1.2.0/... instead of an escaped tag segment, which can break asset probing and downloads.
    • Fix: Path-escape the tag and asset name segments when building GitHub download URLs, and add a redirect-mode test covering a tag containing /.

Panel: ci_default_security | Synthesis: codex, 7s | Members: codex_default (codex/default, done, 3m31s), codex_security (codex/security, done, 3m24s) | Total: 7m2s | Job: 19840

@cpcloud
Copy link
Copy Markdown
Contributor Author

cpcloud commented Jun 2, 2026

Closing this because the direction changed: roborev should adopt kit's existing updater and GitHub release discovery instead of adding roborev-specific release discovery behavior to kit. No kit change is needed here; the follow-up work belongs in the roborev repo.

@cpcloud cpcloud closed this Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cpcloud