feat: allow self-update from URL

[yannham]

Closes #1047

Allow self-update from URL

This PR adds the --url option to the pixi self-update command. This makes it possible to fetch a pixi update from an arbitrary URL instead of automatically getting it from GitHub releases. See #1047 for the motivation.

To avoid making execute() too large, I've tried to split stuff that isn't related to the console interaction - downloading files, unpacking the release archive - into smaller functions.

This is a first draft, and I believe there are a number of questions that need to be answered before merging:

1. When we download a binary from an URL, we can't extract the version in a trivial way, so there's currently no check if we downgrade or upgrade, and no warning prompt either way; we just unconditionally replace the current binary with the target binary. This isn't great.
2. Relatedly, this PR currently blindly replaces the binary without performing any sanity check. Providing a raw URL is fundamentally insecure - I'm not sure we can't do much against a malicious target beside maybe adding a warning before proceeding - however, we could avoid corrupting the pixi installation upon user error by e.g. running the target binary and making sure that the output of help or version is the one from a valid pixi binary. Running <downloaded-pixi> --version would also be a way to extract the new version and fix 1. at the same time.
3. I assumed that the target of the URL should be the final pixi binary, and not an archive. Does that sound right? Do people expect a slightly smarter logic, like detecting .zip or .tar.gz and automatically unpacking them?

Tests

I haven't found tests for self-update. I'm not sure this is really easy to test. I'll test it locally before making this ready for review but I'm open to suggestions if you think we could write potentially sensible tests.

[nichmor]

hey @yannham ! Thanks for this PR!

I will start by answering the easiest questions ( to me :):

• re: 3. I believe that indeed pointing to a Pixi binary is the right way. My argument is that it has the same ergonomics as setup-pixi action ( via pixi-url ), so somehow it is an intuitive way to use without getting your head around what will accept archive and what a plain URL. I would also imagine that people would mirror the pixi directly from GitHub releases for corporate reasons and store it also in binary format ( whereas conda-forge is just a way of distributing it in its own way, for example, how Nix does it https://github.com/NixOS/nixpkgs/blob/nixos-25.05/pkgs/by-name/pi/pixi/package.nix#L19, they also fetch it from binary)

• re: 1 - I think that using a URL is a replacement for the version argument. So it is neither an upgrade nor a downgrade in this semantic way. I would imagine seeing a message like: Installing pixi from URL source bla-bla. Not sure if it should be a warning as the user explicitlyenablese this behaviour

• re: 2 - continuing my thoughts from the second point, I think it is ok updating Pixi from a custom URL. I don't think it is necessary to do this safety check in this PR. In the future, we maybe can have a --secure option where we provide a sandbox environment to run it, but I think it is out of scope for this PR.

This is a small input from my side to guide you in continuing your PR. I will do a code review in a separate step

[nichmor]

I like the modularity!

for the tests, we have integration_python subfolder where we write our tests in python ( it is easier and faster to do it for some usecases)

maybe we can write one for self-update with URL? How I see it, is that we first add a new fixture pixi-to-replace , which is a copy of pixi one and we execute self-update for a older pixi version, and check the updated version.

[nichmor]

should we also provide a UX message like eprintln!("Downloading pixi") ?

[yannham]

Sure!

[yannham]

Any preference for the styling, like an emoji or a specific styling to apply to those kind of "doing something" messages?

[nichmor]

we may use green style as others, with console::Emoji("🚚 ", "") like this with some downloading text

[nichmor]

eprintln!(
        "{}Downloading Pixi from {},
        console::style(console::Emoji("🚚  ", "")).green(),
        our_url_here,
    );

maybe like this