feat(install): replace install.sh with GitHub Releases installer (autopg-finalize G1)#95
Conversation
…ze G1) Closes G1 of `autopg-distribution-cutover-finalize` (PR #93). Splits the install surface into three files: install-autopg.sh (NEW, 74 lines, ≤80 spec ✓): Canonical v2.6+ installer. Detects platform, fetches the signed tarball from GitHub Releases, verifies via `gh attestation verify` (Sigstore Rekor public-good — no private CDN, no custom verifier), extracts, and runs `pgserve install`. Resolves `PGSERVE_VERSION=latest` via the GitHub releases API. `--dry-run` prints what would happen without executing; `--help` / `-h` shows usage. install-pgserve-legacy.sh (RENAMED from install.sh, +banner): The original 123-line npm + pm2 installer, unchanged behavior. Top of file gets a deprecation banner pointing operators at install-autopg.sh; running it prints a one-line stderr deprecation note before proceeding so existing CI doesn't hard-break. install.sh (REPLACED with 13-line shim, ≤15 spec ✓): Tiny shim that prints a stderr deprecation note + the new install URL and exits 0. Operators with bookmarked `curl … | sh` get a clear hint instead of a 404 (which a plain rename would have produced) or a silent break. README.md: Installation section gains the `curl … | bash install-autopg.sh` recommended path on top, with the npm paths preserved below for development. Note explains the gh-CLI dependency and the legacy installer's location. Validation: - shellcheck install.sh install-autopg.sh install-pgserve-legacy.sh: clean - wc -l install.sh = 13 (≤15) - wc -l install-autopg.sh = 74 (≤80) - bash install-autopg.sh --dry-run on linux-x64 prints the expected GitHub Releases URL + `gh attestation verify` command - bash install-autopg.sh --help prints the usage block - bash install.sh prints the deprecation note + new URL on stderr and exits 0 Cohort: G1 of autopg-distribution-cutover-finalize. G2 (pg-query dedup) shipped in PR #94. Wave 1 complete after both merge. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request introduces a new signed binary installation method via install-autopg.sh, which verifies releases using GitHub attestations. The legacy npm-based installer is deprecated and moved to install-pgserve-legacy.sh, with install.sh converted into a shim. Reviewers identified that the new installation path is not added to the user's PATH, the README contains an incomplete command URL, and the installation process redundantly copies the source tarball to the final directory.
| echo "[autopg] installing pm2 supervisor" | ||
| "$INSTALL_DIR/bin/pgserve" install | ||
|
|
||
| echo "[autopg] done — pgserve@${VERSION} installed under pm2" |
There was a problem hiding this comment.
The script installs the binary to a versioned directory (~/.local/share/pgserve/...) but does not add this directory to the user's PATH or create a symlink in a common binary directory (like ~/.local/bin). This means that after installation, the pgserve and autopg commands will not be available in the shell as expected by the documentation. Consider adding a symlink or providing instructions to update the PATH.
| curl -fsSL https://raw.githubusercontent.com/namastexlabs/pgserve/main/install-autopg.sh | bash | ||
|
|
||
| # Pinned version | ||
| PGSERVE_VERSION=v2.6.0 curl -fsSL .../install-autopg.sh | bash |
There was a problem hiding this comment.
The use of ... in the curl command makes the snippet non-functional for users who copy-paste it. It is better to provide the full URL to ensure the documentation is immediately usable.
| PGSERVE_VERSION=v2.6.0 curl -fsSL .../install-autopg.sh | bash | |
| PGSERVE_VERSION=v2.6.0 curl -fsSL https://raw.githubusercontent.com/namastexlabs/pgserve/main/install-autopg.sh | bash |
| # `pgserve install` Just Works after extract. | ||
| INSTALL_DIR="$HOME/.local/share/pgserve/${VERSION}" | ||
| mkdir -p "$INSTALL_DIR" | ||
| cp -r "$TMP"/* "$INSTALL_DIR/" |
There was a problem hiding this comment.
This command copies everything from the temporary directory to the installation directory, which includes the downloaded .tar.gz file. This results in unnecessary disk usage in the user's home directory. Removing the tarball before copying the extracted contents is more efficient.
| cp -r "$TMP"/* "$INSTALL_DIR/" | |
| rm "$TMP/$TARBALL" && cp -r "$TMP"/* "$INSTALL_DIR/" |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ade40b76bc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| *) echo "[autopg] unsupported platform: $(uname -s)-$(uname -m)" >&2; exit 1 ;; | ||
| esac | ||
|
|
||
| TARBALL="pgserve-${VERSION#v}-${PLATFORM}.tar.gz" |
There was a problem hiding this comment.
Fetch the release asset name produced by CI
The installer constructs pgserve-${VERSION#v}-${PLATFORM}.tar.gz, but the build/release pipeline publishes autopg-${version}-${platform}.tar.gz artifacts (see scripts/assemble-tarball.sh and .github/workflows/build-tarballs.yml). This makes the generated GitHub Releases URL invalid, so curl -fsSL --output ... "$URL" fails and the canonical installer cannot install anything.
Useful? React with 👍 / 👎.
| cp -r "$TMP"/* "$INSTALL_DIR/" | ||
|
|
||
| echo "[autopg] installing pm2 supervisor" | ||
| "$INSTALL_DIR/bin/pgserve" install |
There was a problem hiding this comment.
Run the executable path that actually exists after extract
After extraction, the script executes $INSTALL_DIR/bin/pgserve, but the tarball assembly currently packages files under an autopg/ root (tar ... autopg/ in scripts/assemble-tarball.sh), not bin/pgserve. Even with a successful download, this command path does not exist and the install exits with a file-not-found error.
Useful? React with 👍 / 👎.
…installer
Felipe directive: don't deprecate, replace. Single install.sh.
The earlier shape (3 files: install.sh shim + install-autopg.sh +
install-pgserve-legacy.sh) was the wrong tradeoff. Replacing
in-place is cleaner — operators with bookmarked
`curl … main/install.sh | bash` invocations get the new behavior
directly, no migration step. The npm + pm2 install path is preserved
via the existing `pgserve install` CLI verb (operators who want it
do `npm install -g pgserve && pgserve install`).
Changes:
- install-autopg.sh: deleted (its body became install.sh).
- install-pgserve-legacy.sh: deleted (no legacy file kept).
- install.sh: replaced with the GitHub Releases + gh-attestation
body. 74 lines (≤80 spec ✓), shellcheck clean,
`bash install.sh --dry-run` resolves the latest version via the
GitHub releases API and prints the fetch URL + verify command
without executing.
- README.md: install section references install.sh (no autopg
name, no legacy note).
Wish-side note: this overrides Decision #1 in the merged
autopg-distribution-cutover-finalize wish, which prescribed the
3-file split. Decision needs an update — separate follow-up commit
to the wish file.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
… (PR #95) Felipe directive: no more npm, effective immediately. pgserve update will not rely on npm anymore. Next PR drops npmjs publishing once we prove install + update work without it. Changes: README.md: install section now shows ONLY the binary install path (`curl … main/install.sh | bash` + pinned-version variant). The npm paths (`npx pgserve`, `npm install -g pgserve`, `npm install pgserve`) are removed. Note explicitly states "pgserve no longer depends on npm". src/upgrade/steps/binary-cache-flush.js: when the upgrade flow detects a binary-cache mismatch and the postgres-module download API isn't exposed, the operator hint pointed at `bun install -g @automagik/autopg@latest`. Now points at `curl … main/install.sh | bash` — same outcome, no npm dependency. Detail message updated to "binary refresh needs install.sh rerun (no npm dependency)". What still depends on npm (FOLLOW-UP PR territory): - package.json `bin` entries route through `bin/pgserve-wrapper.cjs` + `bin/autopg-wrapper.cjs`. These work whether the package was installed via npm OR via install.sh's tarball — no change needed. - The release-publish workflow still pushes to npmjs. Felipe's plan: keep that until we've seen install + update work end-to-end without it, then drop npm publishing in a follow-up. Validation: bun test tests/upgrade/ → 3/3 pass; lint clean. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Summary
Closes G1 of `autopg-distribution-cutover-finalize` (PR #93). Replaces `install.sh` in-place with the new GitHub Releases + cosign-verify body. No additional .sh files; no deprecation banner.
What ships
Decisions implemented
Per Felipe directive: don't deprecate, replace — single `install.sh`. The npm + pm2 install path is preserved via the existing `pgserve install` CLI verb (operators who want it do `npm install -g pgserve && pgserve install`).
Test plan
Wish update
This overrides Decision #1 of the merged `autopg-distribution-cutover-finalize` wish (which prescribed the 3-file split). A follow-up commit to the wish file updates the decision to match this PR.
🤖 Generated with Claude Code