From 06a2f60c082033478db66738f2d1f0d6502283e3 Mon Sep 17 00:00:00 2001 From: Bryan Van Deusen Date: Tue, 26 May 2026 00:42:35 -0400 Subject: [PATCH] =?UTF-8?q?fix(ext-ci):=20use=20browser=5Fdownload=5Furl?= =?UTF-8?q?=20not=20/releases/assets/=20+=20add=20-f=20to=20curl=20+?= =?UTF-8?q?=20magic-byte=20sanity=20check=20(operator-flagged=202026-05-26?= =?UTF-8?q?:=20prior=20build=20silently=20wrote=20'404=20page=20not=20foun?= =?UTF-8?q?d'=20into=20the=20XPI=20file,=20Firefox=20rejected=20as=20corru?= =?UTF-8?q?pt)=20=E2=80=94=20Co-Authored-By:=20Claude=20Opus=204.7=20(1M?= =?UTF-8?q?=20context)=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .forgejo/workflows/build.yml | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml index 898419b..79b6b85 100644 --- a/.forgejo/workflows/build.yml +++ b/.forgejo/workflows/build.yml @@ -165,16 +165,35 @@ jobs: run: | set -eux VERSION=$(grep -E '"version"' extension/package.json | head -1 | sed -E 's/.*"version"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/') - # Look up the ext- release + its .xpi asset id. + # Look up the ext- release; extract the .xpi asset's + # browser_download_url (Forgejo's /releases/assets/ endpoint + # returns ASSET METADATA, not the binary blob — operator-flagged + # 2026-05-26: my prior code curl'd the metadata endpoint without + # -f and wrote the resulting 404-page-not-found text into + # fabledcurator-*.xpi, which Firefox then rejected as "corrupt"). + # browser_download_url is the canonical binary endpoint and is + # also publicly accessible (no token needed) but we pass the + # token anyway for symmetry with private-repo support. curl -sf -H "Authorization: token $TOKEN" \ "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/releases/tags/ext-$VERSION" \ -o release.json - ASSET_ID=$(python3 -c "import json; r=json.load(open('release.json')); xpis=[a for a in r.get('assets', []) if a.get('name','').endswith('.xpi')]; print(xpis[0]['id'])") - test -n "$ASSET_ID" + DOWNLOAD_URL=$(python3 -c "import json; r=json.load(open('release.json')); xpis=[a for a in r.get('assets', []) if a.get('name','').endswith('.xpi')]; print(xpis[0]['browser_download_url'])") + test -n "$DOWNLOAD_URL" + echo "Downloading XPI from: $DOWNLOAD_URL" mkdir -p frontend/public/extension DEST="frontend/public/extension/fabledcurator-$VERSION.xpi" - curl -sL -H "Authorization: token $TOKEN" -o "$DEST" \ - "https://git.fabledsword.com/api/v1/repos/bvandeusen/FabledCurator/releases/assets/$ASSET_ID" + # -f = fail on HTTP error (prevents silent corruption like the + # 2026-05-26 incident); -L = follow redirects. + curl -sfL -H "Authorization: token $TOKEN" -o "$DEST" "$DOWNLOAD_URL" + # Sanity check: the binary should start with the ZIP magic (PK\x03\x04). + # If it's anything else, the next docker build will ship a corrupt XPI. + MAGIC=$(head -c 2 "$DEST" | od -An -c | tr -d ' \n') + if [ "$MAGIC" != "PK" ]; then + echo "ERROR: downloaded XPI does not start with ZIP magic 'PK' (got '$MAGIC')" + echo "File contents preview:" + head -c 200 "$DEST" + exit 1 + fi cp "$DEST" "frontend/public/extension/fabledcurator-latest.xpi" ls -la frontend/public/extension/