Skip to content

Commit f20afe1

Browse files
MagicalTuxclaude
andcommitted
Give the headless -server build its own auto-update channel
Reverses 0.1.13's "no updater on the console build": headless workers now self-update too, but on a separate `server` channel so they track another console build instead of the GTK-linked GUI binary on `master`. - build_updater sets the channel per variant via a compile-time const: `master` for the GUI build (rsupd's default, unchanged), `server` for the no-GUI build. The updater spawns for both again. - release.yml gains a publish-server job: the server binary isn't a triple-named CI artifact (so `rsupd publish --ci` can't see it), so we download the -server tar.gz, drop decryptd into target/x86_64-unknown-linux-gnu/release/, and `rsupd publish --target … --channel server` in local mode (packages the existing binary, no recompile). Same signing identity and fingerprint as master. Both feature sets build clean; workflow YAML validated. Bump to 0.1.14. Note: 0.1.13 server binaries have no updater, so they need a one-time manual re-download to 0.1.14; from 0.1.14 on they track the server channel. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 7c017bc commit f20afe1

4 files changed

Lines changed: 53 additions & 15 deletions

File tree

.github/workflows/release.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,3 +56,34 @@ jobs:
5656
GH_TOKEN: ${{ github.token }}
5757
RSUPD_IDENTITY: ${{ secrets.RSUPD_IDENTITY }}
5858
run: rsupd publish --ci --run ${{ github.run_id }} --channel master --yes
59+
60+
# The headless -server build tracks its own `server` channel so console workers
61+
# auto-update to another console build, never the GTK-linked GUI binary on
62+
# `master`. Its binary isn't a triple-named CI artifact, so `--ci` can't stage it;
63+
# instead we drop it into target/<triple>/release/ and publish in local mode
64+
# (rsupd packages the existing binary — no recompile).
65+
publish-server:
66+
name: Sign & publish server update
67+
needs: build
68+
runs-on: ubuntu-latest
69+
permissions:
70+
contents: read
71+
actions: read
72+
steps:
73+
- uses: actions/checkout@v4
74+
- uses: dtolnay/rust-toolchain@stable
75+
- uses: Swatinem/rust-cache@v2
76+
- name: Install rsupd CLI
77+
run: cargo install rsupd --locked --features _cli
78+
- name: Stage the headless server binary at its target path
79+
env:
80+
GH_TOKEN: ${{ github.token }}
81+
run: |
82+
gh run download ${{ github.run_id }} -n decryptd-linux-x86_64-server.tar.gz -D srv
83+
mkdir -p target/x86_64-unknown-linux-gnu/release
84+
tar -xzf srv/decryptd-linux-x86_64-server.tar.gz \
85+
-C target/x86_64-unknown-linux-gnu/release decryptd
86+
- name: Sign & publish to the `server` channel
87+
env:
88+
RSUPD_IDENTITY: ${{ secrets.RSUPD_IDENTITY }}
89+
run: rsupd publish --target x86_64-unknown-linux-gnu --channel server --yes

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "decryptd"
3-
version = "0.1.13"
3+
version = "0.1.14"
44
edition = "2024"
55
license = "Proprietary"
66
authors = ["Karpeles Lab Inc"]

src/main.rs

Lines changed: 20 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -921,18 +921,26 @@ fn upload_loop(ctx: RestContext, inflight: InFlight, done: Arc<Mutex<Receiver<Fi
921921
/// Trust anchor for self-updates: the SHA-256 fingerprint of the decryptd
922922
/// release signing key (`rsupd id export`). It's a hash of a public key, so it's
923923
/// safe to embed; the updater refuses any manifest not signed by the matching
924-
/// private identity. GUI-build only — the console `-server` build has no updater.
925-
#[cfg(feature = "gui")]
924+
/// private identity.
926925
const RSUPD_FINGERPRINT: &str = "80b9edc7e6eaebf10b2a25bb10556b9b7fa6abc9fbe556706a2b680cefa4a0fc";
927926

928-
/// Build the signed auto-updater. The transport (dist-go over rsurl) and channel
929-
/// (`master`) default from the fingerprint, so the anchor is the only required
930-
/// input. The git stamps from `build.rs` let it also spot a newer build of the
931-
/// same version (and never reinstall the identical build). GUI-build only.
927+
/// The update channel this build tracks. The GUI build follows `master` (rsupd's
928+
/// default); the headless build follows `server`, a separate channel carrying the
929+
/// no-GUI binary, so a console worker updates to another console build rather than
930+
/// the GTK-linked GUI one. CI publishes each channel from its own binary.
932931
#[cfg(feature = "gui")]
932+
const UPDATE_CHANNEL: &str = "master";
933+
#[cfg(not(feature = "gui"))]
934+
const UPDATE_CHANNEL: &str = "server";
935+
936+
/// Build the signed auto-updater. The transport (dist-go over rsurl) defaults from
937+
/// the fingerprint, so the anchor + channel are the only required inputs. The git
938+
/// stamps from `build.rs` let it also spot a newer build of the same version (and
939+
/// never reinstall the identical build).
933940
fn build_updater() -> rsupd::Result<rsupd::Updater> {
934941
rsupd::Updater::builder(env!("CARGO_PKG_NAME"), env!("CARGO_PKG_VERSION"))
935942
.fingerprint_hex(RSUPD_FINGERPRINT)
943+
.channel(UPDATE_CHANNEL)
936944
.git_tag(env!("RSUPD_GIT_TAG"))
937945
.date_tag(rsupd::date_tag_from_unix(env!("RSUPD_BUILD_UNIX")))
938946
.build()
@@ -945,13 +953,12 @@ fn main() -> Result<()> {
945953
let args = RunArgs::parse();
946954
let status = Status::default();
947955

948-
// Self-update is a GUI-build feature only. The headless `-server` build ships
949-
// without it (operators update by re-downloading) — the master update channel
950-
// carries the GTK-linked GUI binary, which wouldn't even start on a server, so
951-
// a console build must never pull from it. Long-lived GUI workers keep
952-
// themselves current: check hourly in the background and restart into each new
953-
// signed build. `--once` is short-lived, so it skips the updater.
954-
#[cfg(feature = "gui")]
956+
// Long-lived workers keep themselves current: check hourly in the background
957+
// and restart into each new signed build. Each variant tracks its own update
958+
// channel (see `build_updater`) — the GUI build on `master`, the headless
959+
// `-server` build on `server` — so a console worker never pulls the GTK-linked
960+
// GUI binary, which wouldn't start on a display-less box. `--once` is
961+
// short-lived, so it skips the updater.
955962
if !args.once {
956963
match build_updater() {
957964
Ok(updater) => {

0 commit comments

Comments
 (0)