Skip to content

fix(wfctl): pin plugin install to requested version, not stale manifest #426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
intel352 merged 2 commits into from
Apr 20, 2026
Merged

fix(wfctl): pin plugin install to requested version, not stale manifest #426

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
91643e7
fix(wfctl): pin plugin install to requested version, not stale manifest
intel352 Apr 20, 2026
1b51a0b
test(wfctl): add integration test for no-version install using manife…
intel352 Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 42 additions & 1 deletion cmd/wfctl/plugin_install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ func runPluginInstall(args []string) error {
}

nameArg := fs.Arg(0)
rawName, _ := parseNameVersion(nameArg)
rawName, requestedVersion := parseNameVersion(nameArg)
pluginName := normalizePluginName(rawName)

cfg, err := LoadRegistryConfig(*cfgPath)
Expand Down Expand Up @@ -165,6 +165,14 @@ func runPluginInstall(args []string) error {

fmt.Fprintf(os.Stderr, "Found in registry %q.\n", sourceName)

// Pin the manifest to the requested version when it differs from what the registry has.
// The registry manifest may be stale (e.g. v0.1.0) while the user requests v0.2.1.
// pinManifestToVersion rewrites download URLs in-place so the right release is fetched.
registryVersion := manifest.Version
if requestedVersion != "" && requestedVersion != manifest.Version {
pinManifestToVersion(manifest, requestedVersion)
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When version pinning is active, all manifest SHA256 values are cleared, which means the download step will silently skip checksum verification for the pinned install. Consider emitting a clear warning (or failing unless a checksum for the requested version can be obtained) so users understand they’re installing without integrity verification in this path.

Suggested change
pinManifestToVersion(manifest, requestedVersion)
pinManifestToVersion(manifest, requestedVersion)
fmt.Fprintf(os.Stderr,
"warning: installing %q at requested version %s using a pinned manifest derived from registry version %s; checksum verification may be skipped for this install if no checksum is available for the requested version\n",
pluginName, requestedVersion, registryVersion,
)

Copilot uses AI. Check for mistakes.
}

// Resolve and install dependencies before installing the plugin itself.
if len(manifest.Dependencies) > 0 {
resolved := make(map[string]string)
Expand All @@ -174,6 +182,10 @@ func runPluginInstall(args []string) error {
}

if err := installPluginFromManifest(pluginDirVal, pluginName, manifest); err != nil {
if requestedVersion != "" && requestedVersion != registryVersion {
return fmt.Errorf("requested version %s not available for %q (registry manifest is at %s): %w",
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wrapped error text says the requested version is “not available”, but installPluginFromManifest can fail for many other reasons (disk permissions, corrupt tarball, post-install verification, etc.). This message can be misleading; consider wording it as “failed to install requested version …” or only using the “not available” wording when the underlying failure is clearly a 404/missing asset.

Suggested change
return fmt.Errorf("requested version %s not available for %q (registry manifest is at %s): %w",
return fmt.Errorf("failed to install requested version %s for %q (registry manifest is at %s): %w",

Copilot uses AI. Check for mistakes.
requestedVersion, pluginName, registryVersion, err)
}
return err
}

Expand Down Expand Up @@ -630,6 +642,35 @@ func installFromLocal(srcDir, pluginDir string) error {
return nil
}

// pinManifestToVersion rewrites the manifest's version and all download URLs to
// use requestedVersion. The registry manifest may lag behind the actual release
// (e.g. manifest says v0.1.0 but the user requests v0.2.1). GitHub release URLs
// follow a predictable pattern: replace /releases/download/<old>/<filename> with
// /releases/download/<new>/<filename>. SHA256 checksums are cleared since they are
// only valid for the original version's assets.
//
// If requestedVersion matches manifest.Version, this is a no-op.
func pinManifestToVersion(manifest *RegistryManifest, requestedVersion string) {
if requestedVersion == manifest.Version {
return
}
oldVersion := manifest.Version
manifest.Version = requestedVersion
for i := range manifest.Downloads {
url := manifest.Downloads[i].URL
// Replace the release tag in the GitHub releases download path.
rewritten := strings.ReplaceAll(url,
"/releases/download/"+oldVersion+"/",
"/releases/download/"+requestedVersion+"/")
// If the version string also appears in the filename, rewrite that too.
if rewritten == url && oldVersion != "" {
rewritten = strings.ReplaceAll(url, oldVersion, requestedVersion)
Comment on lines +665 to +667
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pinManifestToVersion won’t rewrite version strings in the filename when the URL already matched the /releases/download/<old>/ pattern. For URLs like .../releases/download/v0.1.0/plugin-v0.1.0.tar.gz, the path gets updated but the filename remains at the old version, so the download can still 404 or fetch the wrong asset. Apply the second replacement against the already-rewritten URL (or check strings.Contains(rewritten, oldVersion)), not only when rewritten == url.

Suggested change
// If the version string also appears in the filename, rewrite that too.
if rewritten == url && oldVersion != "" {
rewritten = strings.ReplaceAll(url, oldVersion, requestedVersion)
// If the version string also appears elsewhere in the URL (for example,
// in the asset filename), rewrite that too using the already-updated URL.
if oldVersion != "" {
rewritten = strings.ReplaceAll(rewritten, oldVersion, requestedVersion)

Copilot uses AI. Check for mistakes.
}
manifest.Downloads[i].URL = rewritten
manifest.Downloads[i].SHA256 = "" // checksums are for the old version's assets
}
}

// parseNameVersion splits "name@version" into (name, version). Version is empty if absent.
func parseNameVersion(arg string) (name, ver string) {
if idx := strings.Index(arg, "@"); idx >= 0 {
Expand Down
Loading
Loading