feat(upgrade): add self-update command from Gitea Release

- Add secrets upgrade command: --check to verify, default to download and replace binary - No database or master key required - Support tar.gz and zip artifacts from Gitea Release Made-with: Cursor
2026-03-19 11:01:43 +08:00
parent fcac14a8c4
commit 2da7aab3e5
9 changed files with 827 additions and 4 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -388,6 +388,22 @@ EXAMPLES:
        #[arg(last = true, required = true)]
        command: Vec<String>,
    },
+
+    /// Check for a newer version and update the binary in-place.
+    ///
+    /// Downloads the latest release from Gitea and replaces the current binary.
+    /// No database connection or master key required.
+    #[command(after_help = "EXAMPLES:
+  # Check for updates only (no download)
+  secrets upgrade --check
+
+  # Download and install the latest version
+  secrets upgrade")]
+    Upgrade {
+        /// Only check if a newer version is available; do not download
+        #[arg(long)]
+        check: bool,
+    },
 }

 #[derive(Subcommand)]
@@ -422,6 +438,11 @@ async fn main() -> Result<()> {
        return commands::config::run(action).await;
    }

+    // upgrade needs no database or master key either
+    if let Commands::Upgrade { check } = cli.command {
+        return commands::upgrade::run(check).await;
+    }
+
    let db_url = config::resolve_db_url(&cli.db_url)?;
    let pool = db::create_pool(&db_url).await?;
    db::migrate(&pool).await?;
@@ -435,7 +456,7 @@ async fn main() -> Result<()> {
    // except delete which operates on plaintext metadata only.

    match cli.command {
-        Commands::Init | Commands::Config { .. } => unreachable!(),
+        Commands::Init | Commands::Config { .. } | Commands::Upgrade { .. } => unreachable!(),

        Commands::Add {
            namespace,