feat(upgrade): add self-update command from Gitea Release

- Add secrets upgrade command: --check to verify, default to download and replace binary
- No database or master key required
- Support tar.gz and zip artifacts from Gitea Release

Made-with: Cursor

src/commands/upgrade.rs

@@ -0,0 +1,198 @@
+use anyhow::{Context, Result, bail};
+use flate2::read::GzDecoder;
+use serde::Deserialize;
+use std::io::{Cursor, Read, Write};
+
+const GITEA_API: &str = "https://gitea.refining.dev/api/v1/repos/refining/secrets/releases/latest";
+
+const CURRENT_VERSION: &str = env!("CARGO_PKG_VERSION");
+
+#[derive(Debug, Deserialize)]
+struct Release {
+    tag_name: String,
+    assets: Vec<Asset>,
+}
+
+#[derive(Debug, Deserialize)]
+struct Asset {
+    name: String,
+    browser_download_url: String,
+}
+
+/// Detect the asset suffix for the current platform/arch at compile time.
+fn platform_asset_suffix() -> Result<&'static str> {
+    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
+    {
+        Ok("x86_64-linux-musl.tar.gz")
+    }
+
+    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
+    {
+        Ok("aarch64-macos.tar.gz")
+    }
+
+    #[cfg(all(target_os = "macos", target_arch = "x86_64"))]
+    {
+        Ok("x86_64-macos.tar.gz")
+    }
+
+    #[cfg(all(target_os = "windows", target_arch = "x86_64"))]
+    {
+        Ok("x86_64-windows.zip")
+    }
+
+    #[cfg(not(any(
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "macos", target_arch = "aarch64"),
+        all(target_os = "macos", target_arch = "x86_64"),
+        all(target_os = "windows", target_arch = "x86_64"),
+    )))]
+    bail!(
+        "Unsupported platform: {}/{}",
+        std::env::consts::OS,
+        std::env::consts::ARCH
+    )
+}
+
+/// Strip the "secrets-" prefix from the tag and parse as semver.
+fn parse_tag_version(tag: &str) -> Result<semver::Version> {
+    let ver_str = tag
+        .strip_prefix("secrets-")
+        .with_context(|| format!("unexpected tag format: {tag}"))?;
+    semver::Version::parse(ver_str)
+        .with_context(|| format!("failed to parse version from tag: {tag}"))
+}
+
+/// Extract the binary from a tar.gz archive (first file whose name == "secrets").
+fn extract_from_targz(bytes: &[u8]) -> Result<Vec<u8>> {
+    let gz = GzDecoder::new(Cursor::new(bytes));
+    let mut archive = tar::Archive::new(gz);
+    for entry in archive.entries().context("failed to read tar entries")? {
+        let mut entry = entry.context("bad tar entry")?;
+        let path = entry.path().context("bad tar entry path")?.into_owned();
+        let fname = path
+            .file_name()
+            .and_then(|n| n.to_str())
+            .unwrap_or_default();
+        if fname == "secrets" || fname == "secrets.exe" {
+            let mut buf = Vec::new();
+            entry.read_to_end(&mut buf).context("read tar entry")?;
+            return Ok(buf);
+        }
+    }
+    bail!("binary not found inside tar.gz archive")
+}
+
+/// Extract the binary from a zip archive (first file whose name matches).
+#[cfg(target_os = "windows")]
+fn extract_from_zip(bytes: &[u8]) -> Result<Vec<u8>> {
+    let reader = Cursor::new(bytes);
+    let mut archive = zip::ZipArchive::new(reader).context("failed to open zip archive")?;
+    for i in 0..archive.len() {
+        let mut file = archive.by_index(i).context("bad zip entry")?;
+        let fname = file.name().to_owned();
+        if fname.ends_with("secrets.exe") || fname.ends_with("secrets") {
+            let mut buf = Vec::new();
+            file.read_to_end(&mut buf).context("read zip entry")?;
+            return Ok(buf);
+        }
+    }
+    bail!("binary not found inside zip archive")
+}
+
+pub async fn run(check_only: bool) -> Result<()> {
+    let current = semver::Version::parse(CURRENT_VERSION).context("invalid current version")?;
+
+    println!("Current version: v{current}");
+    println!("Checking for updates...");
+
+    let client = reqwest::Client::builder()
+        .user_agent(format!("secrets-cli/{CURRENT_VERSION}"))
+        .build()
+        .context("failed to build HTTP client")?;
+
+    let release: Release = client
+        .get(GITEA_API)
+        .send()
+        .await
+        .context("failed to fetch release info from Gitea")?
+        .error_for_status()
+        .context("Gitea API returned an error")?
+        .json()
+        .await
+        .context("failed to parse release JSON")?;
+
+    let latest = parse_tag_version(&release.tag_name)?;
+
+    if latest <= current {
+        println!("Already up to date (v{current})");
+        return Ok(());
+    }
+
+    println!("New version available: v{latest}");
+
+    if check_only {
+        println!("Run `secrets upgrade` to update.");
+        return Ok(());
+    }
+
+    let suffix = platform_asset_suffix()?;
+    let asset = release
+        .assets
+        .iter()
+        .find(|a| a.name.ends_with(suffix))
+        .with_context(|| {
+            format!(
+                "no asset found for this platform (looking for suffix: {suffix})\navailable: {}",
+                release
+                    .assets
+                    .iter()
+                    .map(|a| a.name.as_str())
+                    .collect::<Vec<_>>()
+                    .join(", ")
+            )
+        })?;
+
+    println!("Downloading {}...", asset.name);
+
+    let bytes = client
+        .get(&asset.browser_download_url)
+        .send()
+        .await
+        .context("download failed")?
+        .error_for_status()
+        .context("download returned an error")?
+        .bytes()
+        .await
+        .context("failed to read download body")?;
+
+    println!("Extracting...");
+
+    let binary = if suffix.ends_with(".tar.gz") {
+        extract_from_targz(&bytes)?
+    } else {
+        #[cfg(target_os = "windows")]
+        {
+            extract_from_zip(&bytes)?
+        }
+        #[cfg(not(target_os = "windows"))]
+        bail!("zip extraction is only supported on Windows")
+    };
+
+    // Write to a temporary file, set executable permission, then atomically replace.
+    let mut tmp = tempfile::NamedTempFile::new().context("failed to create temp file")?;
+    tmp.write_all(&binary)
+        .context("failed to write temp binary")?;
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        let perms = std::fs::Permissions::from_mode(0o755);
+        std::fs::set_permissions(tmp.path(), perms).context("failed to chmod temp binary")?;
+    }
+
+    self_replace::self_replace(tmp.path()).context("failed to replace current binary")?;
+
+    println!("Updated: v{current} → v{latest}");
+    Ok(())
+}