CLI-20 call install script during self-update

Author: sophio-japharidze-sonarsource

src/commands/self-update.ts

@@ -87,12 +87,11 @@ export async function selfUpdateCommand(options: { check?: boolean; force?: bool
   }
 
   blank();
-  const installedVersion = await withSpinner(
-    `Downloading and installing v${latest}`,
-    () => performSelfUpdate(latest)
+  await withSpinner(
+    `Installing v${latest}`,
+    performSelfUpdate
   );
 
   blank();
-  success(`Updated to v${installedVersion}`);
-  text(`  Path: ${process.execPath}`);
+  success(`Updated to v${latest}`);
 }

src/lib/self-update.ts

@@ -20,18 +20,14 @@
 
 // Self-update logic for the sonarqube-cli binary
 
-import { existsSync } from 'node:fs';
-import { copyFile, chmod, rename, unlink, mkdtemp, writeFile, rm } from 'node:fs/promises';
+import { mkdtemp, writeFile, rm } from 'node:fs/promises';
 import { join } from 'node:path';
-import { tmpdir } from 'node:os';
+import { tmpdir, platform } from 'node:os';
 import { spawnProcess } from './process.js';
 import { version as VERSION } from '../../package.json';
-import { SONARSOURCE_BINARIES_URL, SONARQUBE_CLI_DIST_PREFIX } from './config-constants.js';
-import { detectPlatform } from './platform-detector.js';
 import logger from './logger.js';
 
 const REQUEST_TIMEOUT_MS = 30000;
-const DOWNLOAD_TIMEOUT_MS = 120000;
 
 /**
  * Fetch the latest available CLI version from binaries.sonarsource.com
@@ -64,169 +60,72 @@ export function compareVersions(a: string, b: string): number {
   return a.localeCompare(b, undefined, { numeric: true });
 }
 
-/**
- * Build the download URL for a given CLI version on the current platform.
- * Naming convention: sonarqube-cli-<version>-<os>-<arch>.exe
- */
-function buildCliDownloadUrl(version: string): string {
-  const platform = detectPlatform();
-  const filename = `sonarqube-cli-${version}-${platform.os}-${platform.arch}.exe`;
-  return `${SONARSOURCE_BINARIES_URL}/${SONARQUBE_CLI_DIST_PREFIX}/${filename}`;
+function isWindows(): boolean {
+  return platform() === 'win32';
 }
 
-/**
- * Download the CLI binary to a temporary file and return its path.
- */
-async function downloadToTemp(url: string): Promise<{ tmpDir: string; tmpFile: string }> {
-  const tmpDir = await mkdtemp(join(tmpdir(), 'sonar-update-'));
-  const tmpFile = join(tmpDir, 'sonar.download');
+const INSTALL_SCRIPT_URL_SH = 'https://gist.githubusercontent.com/kirill-knize-sonarsource/663e7735f883c3b624575f27276a6b79/raw/b9e6add7371f16922a6a7a69d56822906b9e5758/install.sh';
+const INSTALL_SCRIPT_URL_PS1 = 'https://gist.githubusercontent.com/kirill-knize-sonarsource/d75dd5f99228f5a67bcd11ec7d2ed295/raw/a5237e27b0c7bff9a5c7bdeec5fe4b112299b5d8/install.ps1';
+
+async function fetchInstallScript(): Promise<string> {
+  const url = isWindows() ? INSTALL_SCRIPT_URL_PS1 : INSTALL_SCRIPT_URL_SH;
 
-  logger.debug(`Downloading SonarQubeCLI from: ${url}`);
+  logger.debug(`Fetching install script from: ${url}`);
 
   const response = await fetch(url, {
     headers: { 'User-Agent': `sonarqube-cli/${VERSION}` },
-    signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT_MS),
+    signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
   });
 
   if (!response.ok) {
-    throw new Error(`Download failed: ${response.status} ${response.statusText}`);
+    throw new Error(`Failed to fetch install script: ${response.status} ${response.statusText}`);
   }
 
-  const buffer = await response.arrayBuffer();
-  await writeFile(tmpFile, Buffer.from(buffer));
-
-  return { tmpDir, tmpFile };
+  return response.text();
 }
 
 /**
- * Verify a binary responds correctly to --version, returning the version string.
+ * Perform a self-update by fetching and running the platform install script.
+ * On Unix/macOS: downloads install.sh and runs it with bash.
+ * On Windows: downloads install.ps1 and runs it with PowerShell.
  */
-async function verifyBinary(binaryPath: string): Promise<string> {
-  const result = await spawnProcess(binaryPath, ['--version'], {
-    stdout: 'pipe',
-    stderr: 'pipe',
-  });
-
-  if (result.exitCode !== 0) {
-    throw new Error('Downloaded binary failed version check');
-  }
-
-  const combined = result.stdout + ' ' + result.stderr;
+export async function performSelfUpdate(): Promise<void> {
+  const windows = isWindows();
+  const scriptContent = await fetchInstallScript();
 
-  const match = /(\d{1,20}(?:\.\d{1,20}){1,3})/.exec(combined);
-  if (!match) {
-    throw new Error('Could not parse version from downloaded binary output');
-  }
-
-  return match[1];
-}
+  const tmpDir = await mkdtemp(join(tmpdir(), 'sonar-update-'));
 
-/**
- * Remove macOS quarantine attribute from the file (no-op if not quarantined).
- */
-async function removeQuarantine(filePath: string): Promise<void> {
   try {
-    await spawnProcess('xattr', ['-d', 'com.apple.quarantine', filePath], {
-      stdout: 'pipe',
-      stderr: 'pipe',
-    });
-  } catch {
-    // Binary is not quarantined — this is expected and fine
-  }
-}
-
-/**
- * Download the new binary, set permissions, and stage it at newBinaryPath.
- * Returns the temp directory path so the caller can clean it up.
- */
-async function prepareNewBinary(downloadUrl: string, newBinaryPath: string): Promise<string> {
-  const platform = detectPlatform();
-  const { tmpDir, tmpFile } = await downloadToTemp(downloadUrl);
+    if (windows) {
+      const scriptFile = join(tmpDir, 'install.ps1');
+      await writeFile(scriptFile, scriptContent, 'utf8');
 
-  if (platform.os !== 'windows') {
-    await chmod(tmpFile, 0o755);
-  }
-  if (platform.os === 'macos') {
-    await removeQuarantine(tmpFile);
-  }
-
-  await copyFile(tmpFile, newBinaryPath);
-  if (platform.os !== 'windows') {
-    await chmod(newBinaryPath, 0o755);
-  }
-
-  return tmpDir;
-}
+      const result = await spawnProcess('powershell', ['-ExecutionPolicy', 'Bypass', '-File', scriptFile], {
+        stdout: 'pipe',
+        stderr: 'pipe',
+      });
 
-/**
- * Atomically swap newBinaryPath into currentBinaryPath, verify the result, then
- * clean up. On verification failure, restores the backup when one was created, or
- * removes the failed binary entirely when there was no original to restore.
- */
-async function swapAndVerify(currentBinaryPath: string, newBinaryPath: string, backupPath: string): Promise<string> {
-  const backupCreated = existsSync(currentBinaryPath);
-  if (backupCreated) {
-    await rename(currentBinaryPath, backupPath);
-  }
-  await rename(newBinaryPath, currentBinaryPath);
-
-  try {
-    const installedVersion = await verifyBinary(currentBinaryPath);
-    if (backupCreated && existsSync(backupPath)) {
-      await unlink(backupPath);
-    }
-    return installedVersion;
-  } catch (error_) {
-    logger.warn(`Verification failed, rolling back: ${(error_ as Error).message}`);
-    if (backupCreated && existsSync(backupPath)) {
-      await rename(backupPath, currentBinaryPath);
-    } else if (!backupCreated) {
-      try {
-        await unlink(currentBinaryPath);
-      } catch {
-        // Ignore cleanup errors
+      if (result.exitCode !== 0) {
+        throw new Error(`Install script failed (exit ${result.exitCode}): ${result.stderr || result.stdout}`);
       }
-    }
-    throw error_;
-  }
-}
+    } else {
+      const scriptFile = join(tmpDir, 'install.sh');
+      await writeFile(scriptFile, scriptContent, 'utf8');
 
-/**
- * Perform an in-place binary self-update with rollback on failure.
- *
- * Strategy:
- *  1. Download new binary to system tmpdir
- *  2. Copy to <binaryPath>.new (same FS → avoids cross-device rename)
- *  3. Rename current binary to <binaryPath>.backup  (atomic)
- *  4. Rename .new to current path                  (atomic)
- *  5. Verify the new binary works
- *  6. On success: remove backup
- *  7. On failure: restore backup (or remove failed binary if no backup), throw
- */
-export async function performSelfUpdate(version: string): Promise<string> {
-  const currentBinaryPath = process.execPath;
-  const newBinaryPath = `${currentBinaryPath}.new`;
-  const backupPath = `${currentBinaryPath}.backup`;
+      const result = await spawnProcess('bash', [scriptFile], {
+        stdout: 'pipe',
+        stderr: 'pipe',
+      });
 
-  let tmpDir: string | null = null;
-
-  try {
-    tmpDir = await prepareNewBinary(buildCliDownloadUrl(version), newBinaryPath);
-    return await swapAndVerify(currentBinaryPath, newBinaryPath, backupPath);
-  } finally {
-    if (tmpDir) {
-      try {
-        await rm(tmpDir, { recursive: true, force: true });
-      } catch {
-        // Ignore cleanup errors
+      if (result.exitCode !== 0) {
+        throw new Error(`Install script failed (exit ${result.exitCode}): ${result.stderr || result.stdout}`);
       }
     }
-    if (existsSync(newBinaryPath)) {
-      try {
-        await unlink(newBinaryPath);
-      } catch {
-        // Ignore cleanup errors
-      }
+  } finally {
+    try {
+      await rm(tmpDir, { recursive: true, force: true });
+    } catch {
+      // Ignore cleanup errors
     }
   }
 }

tests/unit/self-update-command.test.ts

@@ -116,7 +116,7 @@ describe('selfUpdateCommand', () => {
 
   it('does not call performSelfUpdate when already on the latest version', async () => {
     fetchLatestSpy = spyOn(selfUpdate, 'fetchLatestCliVersion').mockResolvedValue(VERSION);
-    performUpdateSpy = spyOn(selfUpdate, 'performSelfUpdate').mockResolvedValue(VERSION);
+    performUpdateSpy = spyOn(selfUpdate, 'performSelfUpdate').mockResolvedValue(undefined);
 
     await selfUpdateCommand({});
 
@@ -125,33 +125,33 @@ describe('selfUpdateCommand', () => {
 
   it('calls performSelfUpdate and shows success when update is available', async () => {
     fetchLatestSpy = spyOn(selfUpdate, 'fetchLatestCliVersion').mockResolvedValue('99.99.99');
-    performUpdateSpy = spyOn(selfUpdate, 'performSelfUpdate').mockResolvedValue('99.99.99');
+    performUpdateSpy = spyOn(selfUpdate, 'performSelfUpdate').mockResolvedValue(undefined);
 
     await selfUpdateCommand({});
 
-    expect(performUpdateSpy).toHaveBeenCalledWith('99.99.99');
+    expect(performUpdateSpy).toHaveBeenCalled();
     const calls = getMockUiCalls();
     const successes = calls.filter(c => c.method === 'success').map(c => String(c.args[0]));
     expect(successes.some(m => m.includes('Updated to v99.99.99'))).toBe(true);
   });
 
   it('with --force, calls performSelfUpdate even when already on the latest version', async () => {
     fetchLatestSpy = spyOn(selfUpdate, 'fetchLatestCliVersion').mockResolvedValue(VERSION);
-    performUpdateSpy = spyOn(selfUpdate, 'performSelfUpdate').mockResolvedValue(VERSION);
+    performUpdateSpy = spyOn(selfUpdate, 'performSelfUpdate').mockResolvedValue(undefined);
 
     await selfUpdateCommand({ force: true });
 
-    expect(performUpdateSpy).toHaveBeenCalledWith(VERSION);
+    expect(performUpdateSpy).toHaveBeenCalled();
     const calls = getMockUiCalls();
     const infos = calls.filter(c => c.method === 'info').map(c => String(c.args[0]));
     expect(infos.some(m => m.includes('Forcing reinstall'))).toBe(true);
   });
 
   it('propagates error from performSelfUpdate', async () => {
     fetchLatestSpy = spyOn(selfUpdate, 'fetchLatestCliVersion').mockResolvedValue('99.99.99');
-    performUpdateSpy = spyOn(selfUpdate, 'performSelfUpdate').mockRejectedValue(new Error('download failed'));
+    performUpdateSpy = spyOn(selfUpdate, 'performSelfUpdate').mockRejectedValue(new Error('install script failed'));
 
-    expect(selfUpdateCommand({})).rejects.toThrow('download failed');
+    expect(selfUpdateCommand({})).rejects.toThrow('install script failed');
   });
 
   it('propagates error when version fetch fails', async () => {

tests/unit/self-update.test.ts

@@ -20,8 +20,9 @@
 
 // Tests for src/lib/self-update.ts
 
-import { describe, it, expect, spyOn, afterEach } from 'bun:test';
-import { compareVersions, fetchLatestCliVersion } from '../../src/lib/self-update.js';
+import { describe, it, expect, spyOn, afterEach, mock } from 'bun:test';
+import { compareVersions, fetchLatestCliVersion, performSelfUpdate } from '../../src/lib/self-update.js';
+import * as processLib from '../../src/lib/process.js';
 
 describe('compareVersions', () => {
   it('returns 0 for equal versions', () => {
@@ -91,3 +92,54 @@ describe('fetchLatestCliVersion', () => {
     expect(fetchLatestCliVersion()).rejects.toThrow('network error');
   });
 });
+
+describe('performSelfUpdate', () => {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let fetchSpy: any;
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let spawnSpy: any;
+
+  afterEach(() => {
+    fetchSpy?.mockRestore();
+    spawnSpy?.mockRestore();
+  });
+
+  it('fetches the install script and runs it successfully', async () => {
+    fetchSpy = spyOn(globalThis, 'fetch').mockResolvedValue({
+      ok: true,
+      text: async () => '#!/usr/bin/env bash\necho "done"',
+    } as Response);
+    spawnSpy = spyOn(processLib, 'spawnProcess').mockResolvedValue({
+      exitCode: 0,
+      stdout: 'Installed sonar to: /usr/local/bin/sonar',
+      stderr: '',
+    });
+
+    await expect(performSelfUpdate()).resolves.toBeUndefined();
+    expect(spawnSpy).toHaveBeenCalledTimes(1);
+  });
+
+  it('throws when the install script fetch fails', async () => {
+    fetchSpy = spyOn(globalThis, 'fetch').mockResolvedValue({
+      ok: false,
+      status: 404,
+      statusText: 'Not Found',
+    } as Response);
+
+    await expect(performSelfUpdate()).rejects.toThrow('Failed to fetch install script: 404 Not Found');
+  });
+
+  it('throws when the install script exits with a non-zero code', async () => {
+    fetchSpy = spyOn(globalThis, 'fetch').mockResolvedValue({
+      ok: true,
+      text: async () => '#!/usr/bin/env bash\nexit 1',
+    } as Response);
+    spawnSpy = spyOn(processLib, 'spawnProcess').mockResolvedValue({
+      exitCode: 1,
+      stdout: '',
+      stderr: 'Download failed',
+    });
+
+    await expect(performSelfUpdate()).rejects.toThrow('Install script failed (exit 1): Download failed');
+  });
+});