Move bin/lein release script to downloading from non-github #4

Open
opened 2 months ago by technomancy · 4 comments
Owner

Unfortunately codeberg release download URLs are not predictable: https://codeberg.org/attachments/60dddfb3-74f1-4177-945a-a4ccfe8f7d88

This means we can't update bin/lein with the URL before tagging the release.

We will need to find another way to do this. One option is to host on https://leiningen.org but this opens up possibilities for attack vectors which we haven't had to worry about in the past.

Unfortunately codeberg release download URLs are not predictable: https://codeberg.org/attachments/60dddfb3-74f1-4177-945a-a4ccfe8f7d88 This means we can't update `bin/lein` with the URL before tagging the release. We will need to find another way to do this. One option is to host on https://leiningen.org but this opens up possibilities for attack vectors which we haven't had to worry about in the past.

Ugh, those unpredictable urls are a real bummer, sounds like not thinking through any kind of automation at first glance :(

Ugh, those unpredictable urls are a real bummer, sounds like not thinking through any kind of automation at first glance :(
Poster
Owner

Since #5 is a very serious problem, I think we will have to wait on this and not fix it in 2.9.10.

Since #5 is a very serious problem, I think we will have to wait on this and not fix it in 2.9.10.

Gitea has an API for getting specific release by tag:

/repos/{owner}/{repo}/releases/tags/{tag}

https://codeberg.org/api/swagger#/repository/repoGetReleaseByTag

So for example 2.9.9 is https://codeberg.org/api/v1/repos/leiningen/leiningen/releases/tags/2.9.9 which returns bunch of JSON with links to attachments.

Gitea has an API for getting specific release by tag: ``` /repos/{owner}/{repo}/releases/tags/{tag} ``` https://codeberg.org/api/swagger#/repository/repoGetReleaseByTag So for example 2.9.9 is `https://codeberg.org/api/v1/repos/leiningen/leiningen/releases/tags/2.9.9` which returns bunch of JSON with links to attachments.
Poster
Owner

Aha; so it looks like there is a URL for what we need. It's just not exposed anywhere other than the API.

I still want to get the 2.9.10 release out first since it's very urgent, but we can switch the bin script over for the following release.

Aha; so it looks like there is a URL for what we need. It's just not exposed anywhere other than the API. I still want to get the 2.9.10 release out first since it's very urgent, but we can switch the bin script over for the following release.
Sign in to join this conversation.
No Milestone
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leiningen/leiningen#4
Loading…
There is no content yet.