chore: bump to 0.7.1, workflow/readme/init/upgrade updates, fix clippy needless_borrows

Made-with: Cursor
2026-03-19 11:34:10 +08:00
parent 3973295d6a
commit 6ea9f0861b
6 changed files with 97 additions and 41 deletions
--- a/src/commands/upgrade.rs
+++ b/src/commands/upgrade.rs
@@ -3,6 +3,7 @@ use flate2::read::GzDecoder;
 use serde::Deserialize;
 use sha2::{Digest, Sha256};
 use std::io::{Cursor, Read, Write};
+use std::time::Duration;

 const GITEA_API: &str = "https://gitea.refining.dev/api/v1/repos/refining/secrets/releases/latest";

@@ -28,16 +29,17 @@ fn available_assets(assets: &[Asset]) -> String {
        .join(", ")
 }

-fn find_asset_by_suffix<'a>(assets: &'a [Asset], suffix: &str) -> Result<&'a Asset> {
-    assets
-        .iter()
-        .find(|a| a.name.ends_with(suffix))
-        .with_context(|| {
-            format!(
-                "no asset found for this platform (looking for suffix: {suffix})\navailable: {}",
-                available_assets(assets)
-            )
-        })
+fn release_asset_name(tag_name: &str, suffix: &str) -> String {
+    format!("secrets-{tag_name}-{suffix}")
+}
+
+fn find_asset_by_name<'a>(assets: &'a [Asset], name: &str) -> Result<&'a Asset> {
+    assets.iter().find(|a| a.name == name).with_context(|| {
+        format!(
+            "no matching release asset found: {name}\navailable: {}",
+            available_assets(assets)
+        )
+    })
 }

 /// Detect the asset suffix for the current platform/arch at compile time.
@@ -89,6 +91,22 @@ fn sha256_hex(bytes: &[u8]) -> String {
    format!("{digest:x}")
 }

+fn verify_checksum(asset_name: &str, archive: &[u8], checksum_contents: &str) -> Result<String> {
+    let expected_checksum = parse_checksum_file(checksum_contents)?;
+    let actual_checksum = sha256_hex(archive);
+
+    if actual_checksum != expected_checksum {
+        bail!(
+            "checksum verification failed for {}: expected {}, got {}",
+            asset_name,
+            expected_checksum,
+            actual_checksum
+        );
+    }
+
+    Ok(actual_checksum)
+}
+
 fn parse_checksum_file(contents: &str) -> Result<String> {
    let checksum = contents
        .split_whitespace()
@@ -163,6 +181,8 @@ pub async fn run(check_only: bool) -> Result<()> {

    let client = reqwest::Client::builder()
        .user_agent(format!("secrets-cli/{CURRENT_VERSION}"))
+        .connect_timeout(Duration::from_secs(10))
+        .timeout(Duration::from_secs(120))
        .build()
        .context("failed to build HTTP client")?;

@@ -192,18 +212,10 @@ pub async fn run(check_only: bool) -> Result<()> {
    }

    let suffix = platform_asset_suffix()?;
-    let asset = find_asset_by_suffix(&release.assets, suffix)?;
+    let asset_name = release_asset_name(&release.tag_name, suffix);
+    let asset = find_asset_by_name(&release.assets, &asset_name)?;
    let checksum_name = format!("{}.sha256", asset.name);
-    let checksum_asset = release
-        .assets
-        .iter()
-        .find(|a| a.name == checksum_name)
-        .with_context(|| {
-            format!(
-                "missing checksum asset for download: {checksum_name}\navailable: {}",
-                available_assets(&release.assets)
-            )
-        })?;
+    let checksum_asset = find_asset_by_name(&release.assets, &checksum_name)?;

    println!("Downloading {}...", asset.name);

@@ -214,19 +226,11 @@ pub async fn run(check_only: bool) -> Result<()> {
        "checksum download",
    )
    .await?;
-    let expected_checksum = parse_checksum_file(
+    let actual_checksum = verify_checksum(
+        &asset.name,
+        &archive,
        std::str::from_utf8(&checksum_contents).context("checksum file is not valid UTF-8")?,
    )?;
-    let actual_checksum = sha256_hex(&archive);
-
-    if actual_checksum != expected_checksum {
-        bail!(
-            "checksum verification failed for {}: expected {}, got {}",
-            asset.name,
-            expected_checksum,
-            actual_checksum
-        );
-    }

    println!("Verified SHA-256: {actual_checksum}");

@@ -298,6 +302,33 @@ mod tests {
        assert!(err.to_string().contains("invalid SHA-256 checksum format"));
    }

+    #[test]
+    fn release_asset_name_matches_release_tag() {
+        assert_eq!(
+            release_asset_name("secrets-0.7.0", "x86_64-linux-musl.tar.gz"),
+            "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz"
+        );
+    }
+
+    #[test]
+    fn find_asset_by_name_rejects_stale_platform_match() {
+        let assets = vec![
+            Asset {
+                name: "secrets-secrets-0.6.9-x86_64-linux-musl.tar.gz".into(),
+                browser_download_url: "https://example.invalid/old".into(),
+            },
+            Asset {
+                name: "secrets-secrets-0.7.0-aarch64-macos.tar.gz".into(),
+                browser_download_url: "https://example.invalid/other".into(),
+            },
+        ];
+
+        let err = find_asset_by_name(&assets, "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz")
+            .expect_err("stale asset should not match");
+
+        assert!(err.to_string().contains("no matching release asset found"));
+    }
+
    #[test]
    fn sha256_hex_matches_known_value() {
        assert_eq!(
@@ -306,6 +337,18 @@ mod tests {
        );
    }

+    #[test]
+    fn verify_checksum_rejects_mismatch() {
+        let err = verify_checksum(
+            "secrets.tar.gz",
+            b"abc",
+            "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef  secrets.tar.gz",
+        )
+        .expect_err("checksum mismatch should fail");
+
+        assert!(err.to_string().contains("checksum verification failed"));
+    }
+
    #[test]
    fn extract_from_targz_reads_binary() {
        let payload = b"fake-secrets-binary";