fix(update): fetch fresh checksums via GitHub API

Dicklesworthstone · Dicklesworthstone · commit 57afc58d5452 · 2026-05-04T17:44:58.000-04:00
diff --git a/scripts/generated/internal_checksums.sh b/scripts/generated/internal_checksums.sh
@@ -10,7 +10,7 @@
 declare -gA ACFS_INTERNAL_CHECKSUMS=(
   [scripts/lib/security.sh]="1fc1cb591fd62ac56d12c5af183de9674e501a74d478b3dd60901167262e919a"
   [scripts/lib/agents.sh]="0d4e7666b7a7267203445c364ad2d4997775826175700627abe83c70afce2269"
-  [scripts/lib/update.sh]="63cfcdb36b6ea89e31ec269ed1f6d3782c7156a7a57de637bb7f28927c027da2"
+  [scripts/lib/update.sh]="8a43e4fcfef29df3eadb0c69a091a66670d0834cc3b7e8691835f6acd5e418a5"
   [scripts/lib/doctor.sh]="89cbdcf2c6b5a88404857a8885508f686c9aeba04e69a95b4e99475ba9148f42"
   [scripts/lib/doctor_fix.sh]="0010bcf607fce4cb5447a7f5daee0bdf507b03839f97be746a0afdab97e1b249"
   [scripts/lib/autofix.sh]="ae7cc5e0b3af3f170d647945d3daee9a341c9276c270fe06895ab9aaf26ba805"
diff --git a/scripts/lib/update.sh b/scripts/lib/update.sh
@@ -2774,7 +2774,6 @@ sync_acfs_global_wrapper() {
 # Checksums Refresh (Auto-update from GitHub)
 # ============================================================
 
-CHECKSUMS_URL="https://raw.githubusercontent.com/${ACFS_REPO_OWNER}/${ACFS_REPO_NAME}/${ACFS_CHECKSUMS_REF}/checksums.yaml"
 CHECKSUMS_LOCAL="${ACFS_HOME:-$HOME/.acfs}/checksums.yaml"
 
 update_resolve_checksums_file() {
@@ -2878,6 +2877,10 @@ update_sync_known_installer_urls_from_checksums() {
 refresh_checksums() {
     local quiet="${1:-false}"
     local checksums_local=""
+    local checksums_ref="${ACFS_CHECKSUMS_REF:-main}"
+    local api_url="https://api.github.com/repos/${ACFS_REPO_OWNER}/${ACFS_REPO_NAME}/contents/checksums.yaml?ref=${checksums_ref}"
+    local raw_url="https://raw.githubusercontent.com/${ACFS_REPO_OWNER}/${ACFS_REPO_NAME}/${checksums_ref}/checksums.yaml?cb=$(date +%s)"
+    local fetched_source=""
 
     checksums_local="$(update_runtime_acfs_home 2>/dev/null || true)"
     if [[ -z "$checksums_local" ]]; then
@@ -2898,32 +2901,42 @@ refresh_checksums() {
         return 1
     fi
 
-    if update_curl --connect-timeout 5 --max-time 30 -o "$tmp_checksums" "$CHECKSUMS_URL" 2>/dev/null; then
-        # Validate it looks like a checksums file
-        if grep -q "^installers:" "$tmp_checksums" 2>/dev/null; then
-            if mv "$tmp_checksums" "$checksums_local" 2>/dev/null; then
-                chmod 644 "$checksums_local" 2>/dev/null || true  # Ensure readable permissions
-                if [[ "$quiet" != "true" ]]; then
-                    log_item "ok" "checksums refresh" "synced from GitHub"
-                fi
-                log_to_file "Refreshed checksums.yaml from $CHECKSUMS_URL"
-                return 0
-            else
-                rm -f "$tmp_checksums"
-                [[ "$quiet" != "true" ]] && log_item "warn" "checksums refresh" "failed to install, using cached"
-                log_to_file "Checksums refresh failed: mv failed"
-                return 1
+    if update_curl \
+        --connect-timeout 5 \
+        --max-time 30 \
+        -H "Accept: application/vnd.github.raw" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        -o "$tmp_checksums" \
+        "$api_url" 2>/dev/null; then
+        fetched_source="$api_url"
+    elif update_curl --connect-timeout 5 --max-time 30 -o "$tmp_checksums" "$raw_url" 2>/dev/null; then
+        fetched_source="$raw_url"
+    else
+        rm -f "$tmp_checksums"
+        [[ "$quiet" != "true" ]] && log_item "warn" "checksums refresh" "network error, using cached"
+        log_to_file "Checksums refresh failed: network error"
+        return 1
+    fi
+
+    # Validate it looks like a checksums file.
+    if grep -q "^installers:" "$tmp_checksums" 2>/dev/null; then
+        if mv "$tmp_checksums" "$checksums_local" 2>/dev/null; then
+            chmod 644 "$checksums_local" 2>/dev/null || true  # Ensure readable permissions
+            if [[ "$quiet" != "true" ]]; then
+                log_item "ok" "checksums refresh" "synced from GitHub"
             fi
+            log_to_file "Refreshed checksums.yaml from $fetched_source"
+            return 0
         else
             rm -f "$tmp_checksums"
-            [[ "$quiet" != "true" ]] && log_item "warn" "checksums refresh" "invalid format, using cached"
-            log_to_file "Checksums refresh failed: invalid format"
+            [[ "$quiet" != "true" ]] && log_item "warn" "checksums refresh" "failed to install, using cached"
+            log_to_file "Checksums refresh failed: mv failed"
             return 1
         fi
     else
         rm -f "$tmp_checksums"
-        [[ "$quiet" != "true" ]] && log_item "warn" "checksums refresh" "network error, using cached"
-        log_to_file "Checksums refresh failed: network error"
+        [[ "$quiet" != "true" ]] && log_item "warn" "checksums refresh" "invalid format, using cached"
+        log_to_file "Checksums refresh failed: invalid format"
         return 1
     fi
 }
diff --git a/tests/unit/lib/test_update.bats b/tests/unit/lib/test_update.bats
@@ -619,11 +619,141 @@ EOF
 @test "refresh_checksums: uses trusted update_curl helper" {
     local update="$PROJECT_ROOT/scripts/lib/update.sh"
 
-    run grep -F 'if update_curl --connect-timeout 5 --max-time 30 -o "$tmp_checksums" "$CHECKSUMS_URL" 2>/dev/null; then' "$update"
+    run grep -F 'if update_curl \' "$update"
     assert_success
 
-    run grep -F 'curl "${_refresh_curl_args[@]}" -o "$tmp_checksums" "$CHECKSUMS_URL"' "$update"
+    run grep -F 'elif update_curl --connect-timeout 5 --max-time 30 -o "$tmp_checksums" "$raw_url" 2>/dev/null; then' "$update"
+    assert_success
+
+    run grep -F 'curl "${_refresh_curl_args[@]}" -o "$tmp_checksums"' "$update"
+    assert_failure
+
+    run grep -F 'CHECKSUMS_URL=' "$update"
+    assert_failure
+}
+
+@test "refresh_checksums: prefers GitHub API over raw CDN" {
+    local runtime_home
+    local calls_file
+    local checksums_file
+    runtime_home="$(create_temp_dir)"
+    calls_file="$BATS_TEST_TMPDIR/refresh-api-calls.log"
+    checksums_file="$runtime_home/.acfs/checksums.yaml"
+
+    mkdir -p "$runtime_home/.acfs"
+    export HOME="$runtime_home"
+    export TARGET_HOME="$runtime_home"
+    unset TARGET_USER
+    export ACFS_HOME="$runtime_home/.acfs"
+    export ACFS_CHECKSUMS_REF="main"
+
+    update_curl() {
+        local output_file=""
+        local url="${*: -1}"
+        local i=1
+
+        while [[ $i -le $# ]]; do
+            if [[ "${!i}" == "-o" ]]; then
+                local next=$((i + 1))
+                output_file="${!next}"
+                break
+            fi
+            ((i += 1))
+        done
+
+        printf '%s\n' "$url" >> "$calls_file"
+        case "$url" in
+            https://api.github.com/repos/*/contents/checksums.yaml?ref=main)
+                cat > "$output_file" <<'EOF'
+installers:
+  mcp_agent_mail:
+    url: "https://raw.githubusercontent.com/Dicklesworthstone/mcp_agent_mail_rust/refs/heads/main/install.sh"
+    sha256: "2222222222222222222222222222222222222222222222222222222222222222"
+EOF
+                return 0
+                ;;
+            https://raw.githubusercontent.com/*)
+                return 22
+                ;;
+            *)
+                return 1
+                ;;
+        esac
+    }
+
+    run refresh_checksums true
+    assert_success
+
+    run grep -F 'api.github.com/repos/Dicklesworthstone/agentic_coding_flywheel_setup/contents/checksums.yaml?ref=main' "$calls_file"
+    assert_success
+
+    run grep -F 'raw.githubusercontent.com' "$calls_file"
     assert_failure
+
+    run grep -F 'mcp_agent_mail_rust/refs/heads/main/install.sh' "$checksums_file"
+    assert_success
+}
+
+@test "refresh_checksums: cache-busts raw fallback when GitHub API fails" {
+    local runtime_home
+    local calls_file
+    local checksums_file
+    runtime_home="$(create_temp_dir)"
+    calls_file="$BATS_TEST_TMPDIR/refresh-raw-calls.log"
+    checksums_file="$runtime_home/.acfs/checksums.yaml"
+
+    mkdir -p "$runtime_home/.acfs"
+    export HOME="$runtime_home"
+    export TARGET_HOME="$runtime_home"
+    unset TARGET_USER
+    export ACFS_HOME="$runtime_home/.acfs"
+    export ACFS_CHECKSUMS_REF="feature/ref"
+
+    update_curl() {
+        local output_file=""
+        local url="${*: -1}"
+        local i=1
+
+        while [[ $i -le $# ]]; do
+            if [[ "${!i}" == "-o" ]]; then
+                local next=$((i + 1))
+                output_file="${!next}"
+                break
+            fi
+            ((i += 1))
+        done
+
+        printf '%s\n' "$url" >> "$calls_file"
+        case "$url" in
+            https://api.github.com/*)
+                return 22
+                ;;
+            https://raw.githubusercontent.com/Dicklesworthstone/agentic_coding_flywheel_setup/feature/ref/checksums.yaml?cb=*)
+                cat > "$output_file" <<'EOF'
+installers:
+  mcp_agent_mail:
+    url: "https://raw.githubusercontent.com/Dicklesworthstone/mcp_agent_mail_rust/refs/heads/main/install.sh"
+    sha256: "3333333333333333333333333333333333333333333333333333333333333333"
+EOF
+                return 0
+                ;;
+            *)
+                return 1
+                ;;
+        esac
+    }
+
+    run refresh_checksums true
+    assert_success
+
+    run grep -F 'api.github.com/repos/Dicklesworthstone/agentic_coding_flywheel_setup/contents/checksums.yaml?ref=feature/ref' "$calls_file"
+    assert_success
+
+    run grep -E 'raw.githubusercontent.com/.*/feature/ref/checksums.yaml\?cb=[0-9]+' "$calls_file"
+    assert_success
+
+    run grep -F '3333333333333333333333333333333333333333333333333333333333333333' "$checksums_file"
+    assert_success
 }
 
 @test "self-update hash comparisons use trusted update_sha256_file helper" {
