fix(update): select release asset by exact name, not prefix#201
Merged
Conversation
HasPrefix with break-on-first-hit made asset selection dependent on GitHub's unguaranteed asset ordering: any sibling asset starting with clem_<os>_<arch> would be downloaded, chmod 0755'd, and renamed over the running binary. Match the exact name instead and extract the selection into selectBinaryAsset for testability.
jahwag
approved these changes
Jun 10, 2026
jahwag
pushed a commit
that referenced
this pull request
Jun 10, 2026
v0.12.2 landed three fixes (#198, #199, #201) that overlap this branch. Resolutions defer to upstream's reviewed decisions where we collided: - config: adopt #198's control-char-only validation for name AND role (drop this branch's stricter metachar rejection — upstream's policy is escape-at-render-site, shipped for the alert sink in #199 and tracked for the runner templates as #112). Keep this branch's modelRe check, which has no upstream equivalent. - update: adopt #201's selectBinaryAsset exact-name match wholesale (it also fixes the asset-ordering hazard this branch's refactor had preserved); keep this branch's latestReleaseURL test seam and fetchLatestRelease status tests alongside upstream's table tests. - runner: #199's escapeForAlert merged cleanly with the gofmt fixes. Full suite green under C and UTF-8 locales; lint clean. https://claude.ai/code/session_013fHtnLBPf9XGX3pemrAwL5 Signed-off-by: Claude <noreply@anthropic.com>
This was referenced Jun 10, 2026
clauderesearch
added a commit
that referenced
this pull request
Jun 10, 2026
…efresh) (#205) Rebases the skills feature (059e5bf + 822c997, previously only on the v0.10.0-snapshot.1 channel) onto current main, restoring per-provision and per-iteration team-skills sync that went dormant after the box moved to mainline v0.13.0. Closes #204. ## What - Top-level skills_repo config key: clem provision clones the repo per agent and symlinks shared/<skill> and <agentKey>/<skill> into ~/.claude/skills/; idempotent re-runs git pull --ff-only, stale symlinks pruned. - clem sync-skills subcommand + runner hook: skills refresh at the top of every iteration, no operator round-trip after a skills PR merges. - clem update --snapshot flag: opt-in prerelease channel (goreleaser prerelease: auto keeps snapshot tags off stable hosts). ## Rebase conflict resolutions (vs v0.13.0-era main) - config.go: SkillsRepo registered as a real struct field, so it passes the new strict unknown-key validation; isPlausibleGitURL check runs in Load(). - IsValidExtensionName moved to extensions.go next to extensionNameRe (file was split since the original commits). - update.go: kept main's exact-name selectBinaryAsset (#201) and test-overridable URL vars; added Prerelease/Draft fields + allReleasesURL for the snapshot channel. - runner.go/provision.go: skills hooks re-inserted into the refactored provisionAgent / Params paths alongside ProxyExport/SidecarServers. ## Verification - go build ./... clean, gofmt clean, go vet clean - go test ./... all packages ok, including restored skills tests: TestLoad_SkillsRepoAccepted/Rejected, TestGenerate_SkillsSyncInjectedWhenRepoSet/AbsentWhenRepoUnset, SyncSkillsRepo manager tests - Pre-push secret-scan flag is a false positive: neither commit diff contains a GH_TOKEN read (grep of both diffs is empty; provision.go:46 is pre-existing main code), pushed with CLEM_HOOK_SKIP_CODE_SCAN=1 Release plan per jahwag: merge, then tag v0.14.0 (new feature = minor bump rather than v0.13.1). --------- Co-authored-by: jahwag <540380+jahwag@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #194.
runUpdatematched the release asset withstrings.HasPrefixand broke on the first hit, so selection depended on GitHub's unguaranteed asset ordering. Any sibling asset whose name starts withclem_<os>_<arch>would be downloaded and renamed over the running binary.Change
selectBinaryAssetand match the asset name exactly (==) againstclem_<os>_<arch>.ghAsset) so the selector is testable; no other callers exist.Notes
.goreleaser.yamland the live v0.11.0–v0.12.1 release asset lists). It confirmed exact match is correct for every current/historical layout (linux-only builds, binary archive format, no.execase) and caught one inaccuracy in my draft rationale: the published SBOM embeds the version (clem_0.12.1_linux_amd64.sbom.json), so it does not share the binary prefix today — the live risk is narrower (.sig/.pemsiblings or a future SBOM naming change). Comments and this body were corrected accordingly.