fix(website): fix install script version detection (#2322)

frewilhelm · web-flow · commit 84047f0e2e77 · 2026-04-20T15:56:16.000+02:00
## Summary

- Fix `install-cli.sh` picking pre-release tags (e.g. `cli/v0.4.0-rc.2`)
instead of the latest stable release (`cli/v0.3.0`)
- Add a `gh auth status` check before attempting attestation
verification
- Add live integration test workflow that installs a real release and
verifies attestation

## Problem

The version extraction in `get_release_version()` matched any
`cli/v`-prefixed tag. Since the API returns releases sorted by creation
date, a pre-release like `cli/v0.4.0-rc.2` was picked over the latest
stable `cli/v0.3.0`.

Additionally, `verify_binary` would fail with a confusing error when
`gh` was installed but not authenticated.

## Fix

- Changed the grep filter to a strict stable-version pattern
(`cli/vX.Y.Z` only - no `-rc`, no suffixes)
- Added `gh auth status` check with user-friendly warning when not
authenticated

## Testing

Added `website-live-test-install-script.yml` that:

- Resolves the latest stable CLI release via `actions/github-script`
(Octokit)
- Runs the real install script end-to-end with attestation verification
on linux/amd64 and linux/arm64
- Verifies the installed binary version matches the resolved release
- Tests the unauthenticated path (no `gh` auth) to ensure graceful skip
- Triggers on PRs, new releases, and manual dispatch

## Test plan

- [x] Push and verify the live test workflow passes on this PR
- [x] Run `bash website/static/install-cli.sh --help` locally

---------

Signed-off-by: Frederic Wilhelm &lt;frederic.wilhelm@sap.com&gt;
diff --git a/.github/workflows/website-live-test-install-script.yml b/.github/workflows/website-live-test-install-script.yml
@@ -0,0 +1,142 @@
+name: "Website: Live Test Install Script"
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/website-live-test-install-script.yml'
+      - 'website/static/install-cli.sh'
+  release:
+    types: [published]
+  workflow_dispatch:
+
+concurrency:
+  group: live-test-install-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  resolve:
+    runs-on: ubuntu-latest
+    name: Resolve latest stable CLI release
+    outputs:
+      version: ${{ steps.find.outputs.version }}
+      tag: ${{ steps.find.outputs.tag }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Find latest stable CLI release
+        id: find
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        with:
+          script: |
+            const { extractHighestPreviousReleaseVersion } = await import('${{ github.workspace }}/.github/scripts/release-versioning.js');
+            const tagPrefix = 'cli/v';
+
+            const releases = (await github.rest.repos.listReleases({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              per_page: 100,
+            })).data;
+
+            const version = extractHighestPreviousReleaseVersion(releases, tagPrefix);
+            if (!version) {
+              core.setFailed('No stable CLI release found');
+              return;
+            }
+
+            core.setOutput('version', version);
+            core.setOutput('tag', `${tagPrefix}${version}`);
+            core.info(`Resolved latest stable CLI release: ${tagPrefix}${version}`);
+
+  install:
+    needs: resolve
+    name: Install + verify (${{ matrix.runner }})
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]
+    env:
+      OCM_VERSION: ${{ needs.resolve.outputs.version }}
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Run install script
+        env:
+          INSTALL_DIR: ${{ runner.temp }}/ocm-bin
+          INSTALL_LOG: ${{ runner.temp }}/install.log
+        run: |
+          bash website/static/install-cli.sh "${INSTALL_DIR}" 2>&1 | tee "${INSTALL_LOG}"
+          echo "${INSTALL_DIR}" >> "$GITHUB_PATH"
+
+      - name: Verify attestation was checked
+        env:
+          INSTALL_LOG: ${{ runner.temp }}/install.log
+        run: |
+          if ! grep -q "Attestation verification successful" "${INSTALL_LOG}"; then
+            echo "::error::Attestation verification did not run or did not succeed"
+            cat "${INSTALL_LOG}"
+            exit 1
+          fi
+
+      - name: Verify installed binary
+        run: |
+          version_json=$(ocm version 2>/dev/null)
+          actual=$(echo "${version_json}" | jq -r '"\(.major).\(.minor).\(.patch)"')
+          if [[ "${actual}" != "${OCM_VERSION}" ]]; then
+            echo "::error::Version mismatch: expected ${OCM_VERSION}, got ${actual}"
+            exit 1
+          fi
+          echo "Installed version ${actual} matches expected ${OCM_VERSION}"
+          ocm --help > /dev/null
+
+  install-without-auth:
+    needs: resolve
+    name: Install without attestation
+    runs-on: ubuntu-latest
+    env:
+      EXPECTED_VERSION: ${{ needs.resolve.outputs.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Run install script without gh auth
+        env:
+          INSTALL_DIR: ${{ runner.temp }}/ocm-bin
+          INSTALL_LOG: ${{ runner.temp }}/install.log
+          GH_TOKEN: ""
+          GITHUB_TOKEN: ""
+          GH_CONFIG_DIR: /nonexistent
+        run: |
+          bash website/static/install-cli.sh "${INSTALL_DIR}" 2>&1 | tee "${INSTALL_LOG}"
+          echo "${INSTALL_DIR}" >> "$GITHUB_PATH"
+
+      - name: Verify attestation was skipped
+        env:
+          INSTALL_LOG: ${{ runner.temp }}/install.log
+        run: |
+          if ! grep -q "GitHub CLI is not authenticated. Skipping attestation verification." "${INSTALL_LOG}"; then
+            echo "::error::Expected unauthenticated skip message not found"
+            cat "${INSTALL_LOG}"
+            exit 1
+          fi
+
+      - name: Verify installed binary
+        run: |
+          version_json=$(ocm version 2>/dev/null)
+          actual=$(echo "${version_json}" | jq -r '"\(.major).\(.minor).\(.patch)"')
+          if [[ "${actual}" != "${EXPECTED_VERSION}" ]]; then
+            echo "::error::Version mismatch: expected ${EXPECTED_VERSION}, got ${actual}"
+            exit 1
+          fi
+          echo "Installed version ${actual} matches expected ${EXPECTED_VERSION}"
+          ocm --help > /dev/null
diff --git a/website/static/install-cli.sh b/website/static/install-cli.sh
@@ -132,25 +132,30 @@ setup_tmp() {
     trap cleanup INT EXIT
 }
 
+# Extract a stable CLI version from a releases JSON file.
+# Returns the version string (e.g. "0.3.0") or empty if none found.
+extract_stable_version() {
+    grep '"tag_name":' "$1" \
+        | grep -E "\"${TAG_PREFIX}v[0-9]+\.[0-9]+\.[0-9]+\"" \
+        | head -1 \
+        | sed -E "s|.*\"${TAG_PREFIX}v([^\"]+)\".*|\1|" \
+        || true # grep returns non-zero when no lines match; prevent set -e from killing the subshell
+}
+
 # Find version from Github metadata
 get_release_version() {
-    if [[ -n "${OCM_VERSION:-}" ]]; then
-        METADATA_URL="https://api.github.com/repos/${GITHUB_REPO}/releases/tags/${TAG_PREFIX}v${OCM_VERSION}"
-    else
+    if [[ -z "${OCM_VERSION:-}" ]]; then
         # Use the list endpoint so we can filter by TAG_PREFIX; /releases/latest may
         # point to a non-CLI release (e.g. a website or docs tag published more recently).
-        METADATA_URL="https://api.github.com/repos/${GITHUB_REPO}/releases"
-    fi
+        METADATA_URL="https://api.github.com/repos/${GITHUB_REPO}/releases?per_page=100"
+        info "Downloading metadata ${METADATA_URL}"
+        download "${TMP_METADATA}" "${METADATA_URL}"
 
-    info "Downloading metadata ${METADATA_URL}"
-    download "${TMP_METADATA}" "${METADATA_URL}"
+        OCM_VERSION=$(extract_stable_version "${TMP_METADATA}")
+    fi
 
-    # tag_name has the format "cli/v0.1.0" – strip the prefix and leading "v".
-    # When OCM_VERSION is unset the response is a JSON array; grep the first
-    # tag_name that starts with TAG_PREFIX to avoid picking a non-CLI release.
-    VERSION_OCM=$(grep '"tag_name":' "${TMP_METADATA}" | grep "\"${TAG_PREFIX}v" | head -1 | sed -E "s|.*\"${TAG_PREFIX}v([^\"]+)\".*|\1|")
-    if [[ -n "${VERSION_OCM}" ]]; then
-        info "Using ${VERSION_OCM} as release"
+    if [[ -n "${OCM_VERSION}" ]]; then
+        info "Using ${OCM_VERSION} as release"
     else
         fatal "Unable to determine release version"
     fi
@@ -176,7 +181,7 @@ download() {
 # Download binary from Github URL
 # Assets follow the naming scheme: ocm-{OS}-{ARCH} (no version, no archive)
 download_binary() {
-    BIN_URL="https://github.com/${GITHUB_REPO}/releases/download/${TAG_PREFIX}v${VERSION_OCM}/ocm-${OS}-${ARCH}"
+    BIN_URL="https://github.com/${GITHUB_REPO}/releases/download/${TAG_PREFIX}v${OCM_VERSION}/ocm-${OS}-${ARCH}"
     info "Downloading binary ${BIN_URL}"
     download "${TMP_BIN}" "${BIN_URL}"
 }
@@ -198,6 +203,14 @@ verify_binary() {
         return 0
     fi
 
+    # Check if gh CLI is authenticated to github.com
+    if ! gh auth status --hostname github.com &> /dev/null; then
+        warn "GitHub CLI is not authenticated. Skipping attestation verification."
+        warn "To verify the binary, run: gh auth login"
+        warn "Or set OCM_SKIP_VERIFY=true to suppress this warning."
+        return 0
+    fi
+
     info "Verifying binary attestation..."
     if gh attestation verify "${TMP_BIN}" --repo "${GITHUB_REPO}" 2>/dev/null; then
         info "Attestation verification successful"
@@ -230,5 +243,5 @@ setup_binary() {
     ensure_bin_dir
     setup_binary
     ensure_path
-    info "OCM CLI v${VERSION_OCM} installed successfully"
+    info "OCM CLI v${OCM_VERSION} installed successfully"
 }
