Skip to content

Commit 3d94d33

Browse files
author
Marcus Pousette
committed
fix: hardening
1 parent f65ac22 commit 3d94d33

File tree

2 files changed

+27
-17
lines changed

2 files changed

+27
-17
lines changed

.github/workflows/prebuilt.yml

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -124,9 +124,12 @@ jobs:
124124
if [[ "${{ matrix.os }}" == windows* ]]; then TRIPLE=win32-$ARCH; fi
125125
NAME=sqlite-vec-$TRIPLE.$EXT
126126
echo "Uploading $NAME"
127-
gh release upload "${{ needs.ensure-release.outputs.tag }}" "${{ steps.find_art.outputs.artifact }}#${NAME}" --clobber -R "$GITHUB_REPOSITORY"
127+
# Rename by copying to a temp filepath so the asset name is exact even on old gh versions
128+
TMPFILE=$(mktemp)
129+
rm -f "$TMPFILE" && cp "${{ steps.find_art.outputs.artifact }}" "$NAME"
130+
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$NAME" --clobber -R "$GITHUB_REPOSITORY"
128131
# Create checksum file for the uploaded asset name
129-
HASH=$(node -e "const fs=require('fs');const c=require('crypto');const d=fs.readFileSync(process.argv[1]);process.stdout.write(c.createHash('sha256').update(d).digest('hex'));" "${{ steps.find_art.outputs.artifact }}")
132+
HASH=$(node -e "const fs=require('fs');const c=require('crypto');const d=fs.readFileSync(process.argv[1]);process.stdout.write(c.createHash('sha256').update(d).digest('hex'));" "$NAME")
130133
printf "%s %s" "$HASH" "$NAME" > "$NAME.sha256"
131134
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$NAME.sha256" --clobber -R "$GITHUB_REPOSITORY"
132135
# Verify asset is present on the release (tolerate eventual consistency)
@@ -197,8 +200,9 @@ jobs:
197200
[ -n "$ART" ] || (echo "No artifact" && exit 1)
198201
NAME=sqlite-vec-linux-x64-musl.so
199202
echo "Uploading $NAME"
200-
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$ART#$NAME" --clobber -R "$GITHUB_REPOSITORY"
201-
HASH=$(node -e "const fs=require('fs');const c=require('crypto');const d=fs.readFileSync(process.argv[1]);process.stdout.write(c.createHash('sha256').update(d).digest('hex'));" "$ART")
203+
cp "$ART" "$NAME"
204+
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$NAME" --clobber -R "$GITHUB_REPOSITORY"
205+
HASH=$(node -e "const fs=require('fs');const c=require('crypto');const d=fs.readFileSync(process.argv[1]);process.stdout.write(c.createHash('sha256').update(d).digest('hex'));" "$NAME")
202206
printf "%s %s" "$HASH" "$NAME" > "$NAME.sha256"
203207
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$NAME.sha256" --clobber -R "$GITHUB_REPOSITORY"
204208
# Verify asset exists (HEAD the direct URL with retries)
@@ -248,8 +252,9 @@ jobs:
248252
for f in sqlite-vec/dist/*.so sqlite-vec/sqlite-vec*.so; do [ -f "$f" ] && ART="$f" && break; done
249253
if [ "${{ matrix.arch }}" = "arm/v7" ]; then ARCH=armv7; else ARCH=arm64; fi
250254
NAME=sqlite-vec-linux-$ARCH-musl.so
251-
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$ART#$NAME" --clobber -R "$GITHUB_REPOSITORY"
252-
HASH=$(node -e "const fs=require('fs');const c=require('crypto');const d=fs.readFileSync(process.argv[1]);process.stdout.write(c.createHash('sha256').update(d).digest('hex'));" "$ART")
255+
cp "$ART" "$NAME"
256+
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$NAME" --clobber -R "$GITHUB_REPOSITORY"
257+
HASH=$(node -e "const fs=require('fs');const c=require('crypto');const d=fs.readFileSync(process.argv[1]);process.stdout.write(c.createHash('sha256').update(d).digest('hex'));" "$NAME")
253258
printf "%s %s" "$HASH" "$NAME" > "$NAME.sha256"
254259
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$NAME.sha256" --clobber -R "$GITHUB_REPOSITORY"
255260
# Verify asset exists (HEAD the direct URL with retries)
@@ -286,8 +291,9 @@ jobs:
286291
ART=""
287292
for f in sqlite-vec/dist/*.so sqlite-vec/sqlite-vec*.so; do [ -f "$f" ] && ART="$f" && break; done
288293
NAME=sqlite-vec-linux-arm64-gnu.so
289-
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$ART#$NAME" --clobber -R "$GITHUB_REPOSITORY"
290-
HASH=$(node -e "const fs=require('fs');const c=require('crypto');const d=fs.readFileSync(process.argv[1]);process.stdout.write(c.createHash('sha256').update(d).digest('hex'));" "$ART")
294+
cp "$ART" "$NAME"
295+
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$NAME" --clobber -R "$GITHUB_REPOSITORY"
296+
HASH=$(node -e "const fs=require('fs');const c=require('crypto');const d=fs.readFileSync(process.argv[1]);process.stdout.write(c.createHash('sha256').update(d).digest('hex'));" "$NAME")
291297
printf "%s %s" "$HASH" "$NAME" > "$NAME.sha256"
292298
gh release upload "${{ needs.ensure-release.outputs.tag }}" "$NAME.sha256" --clobber -R "$GITHUB_REPOSITORY"
293299
# Verify asset exists (HEAD the direct URL with retries)

scripts/fetch-prebuilt.cjs

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,8 @@ async function download(url, dest) {
7575
async function main() {
7676
const triple = platformTriple();
7777
const ext = fileExt();
78-
const version = pkg.version.startsWith('v') ? pkg.version : `v${pkg.version}`;
78+
const verWithV = pkg.version.startsWith('v') ? pkg.version : `v${pkg.version}`;
79+
const verNoV = verWithV.replace(/^v/, '');
7980
const resolved = repoFromPackage();
8081
const candidates = Array.from(
8182
new Set([
@@ -93,12 +94,14 @@ async function main() {
9394
console.log(`[sqlite3-vec] Version: ${version}`);
9495
let lastErr;
9596
for (const repo of candidates) {
96-
const base = `https://github.com/${repo}/releases/download/${version}`;
97-
const url = `${base}/${asset}`;
98-
const sumUrl = `${base}/${asset}.sha256`;
9997
console.log(`[sqlite3-vec] Trying repo: ${repo}`);
100-
try {
101-
await download(url, dest);
98+
for (const tag of [verWithV, verNoV]) {
99+
const base = `https://github.com/${repo}/releases/download/${tag}`;
100+
const url = `${base}/${asset}`;
101+
const sumUrl = `${base}/${asset}.sha256`;
102+
console.log(`[sqlite3-vec] Trying tag: ${tag}`);
103+
try {
104+
await download(url, dest);
102105
console.log('[sqlite3-vec] Downloaded:', dest);
103106
try {
104107
await download(sumUrl, sumDest);
@@ -113,9 +116,10 @@ async function main() {
113116
console.warn('[sqlite3-vec] Checksum not verified:', e?.message || String(e));
114117
}
115118
process.exit(0);
116-
} catch (e) {
117-
lastErr = e;
118-
console.warn(`[sqlite3-vec] Download failed from ${repo}:`, e?.message || String(e));
119+
} catch (e) {
120+
lastErr = e;
121+
console.warn(`[sqlite3-vec] Download failed from ${repo} tag ${tag}:`, e?.message || String(e));
122+
}
119123
}
120124
}
121125
console.warn('[sqlite3-vec] All download attempts failed. Tried repos:', candidates.join(', '));

0 commit comments

Comments
 (0)