fix: codedb update downloads directly from GitHub releases#176
Conversation
The CDN install script fails silently on macOS due to set -euo pipefail interacting with xattr -c returning non-zero. Bypass the install script entirely — detect platform, fetch latest version from CDN, download binary directly from GitHub releases, and mv in-place. Generated with AI Co-Authored-By: AI <ai@example.com>
Benchmark Regression ReportThreshold: 10.00%
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4f0a97961f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| \\VERSION=$(curl -fsSL https://codedb.codegraff.com/latest.json | grep -oE '"version"\s*:\s*"[^"]*"' | cut -d'"' -f4) | ||
| \\echo " latest: v${VERSION}" | ||
| \\TMP=$(mktemp) | ||
| \\curl -fsSL "https://github.com/justrach/codedb/releases/download/v${VERSION}/${BIN}" -o "$TMP" |
There was a problem hiding this comment.
This update path now installs whatever curl returns from GitHub directly into the live codedb executable without any integrity check, which is a security regression from the installer flow (install/install.sh) that validates SHA-256 before mv. If the download is corrupted or tampered in transit/upstream, codedb update will replace the trusted binary with an unverified one.
Useful? React with 👍 / 👎.
| \\ darwin-arm64) BIN="codedb-darwin-arm64" ;; | ||
| \\ darwin-x86_64) BIN="codedb-darwin-x86_64" ;; | ||
| \\ linux-x86_64) BIN="codedb-linux-x86_64" ;; | ||
| \\ linux-aarch64) BIN="codedb-linux-aarch64" ;; |
There was a problem hiding this comment.
On Linux ARM64, this mapping chooses codedb-linux-aarch64, but the repo’s documented/referenced asset naming uses codedb-linux-arm64 (see README and installer/worker logic). Because codedb update now bypasses the worker’s name normalization and hits GitHub release URLs directly, ARM64 users will request a non-existent asset and updates will fail.
Useful? React with 👍 / 👎.
1 participant
Problem
codedb updatesilently fails on macOS. The CDN install script'sset -euo pipefailcauses early exit whenxattr -creturns non-zero on a file with no quarantine attributes.Fix
Bypass the CDN install script entirely. The update command now:
codedb.codegraff.com/latest.jsonmv -fin-placeTested: 0.2.53 → 0.2.54 update confirmed working on macOS ARM64.