diff options
| -rw-r--r-- | CLAUDE.md | 11 | ||||
| -rw-r--r-- | README.md | 9 | ||||
| -rw-r--r-- | firefly-update | 43 |
3 files changed, 55 insertions, 8 deletions
@@ -29,6 +29,17 @@ Debian. See README.md for usage; this file is the non-obvious context. on the v2 error and login pages. Graphs breaking = missing `public/v1/js` bundles (see the zip point above), a different cause. +- **Upgrade artisan sequence follows the official self-managed docs**: + `migrate --seed`, `cache:clear`, `view:clear`, `firefly-iii:upgrade-database`, + `firefly-iii:laravel-passport-keys`. Use `firefly-iii:laravel-passport-keys`, + NOT `passport:install`. We add `--force` (non-interactive) and the oauth + reconcile before migrate. Docs also confirm composer create-project is no + longer recommended. + +- **Release `.sha256` format** is `<hash> *FireflyIII-<tag>.zip` (BSD-style, + space then `*`); `cut -d' ' -f1` gets the hash. The script verifies it when + `sha256sum` is available, and validates the extracted tree before swapping. + ## Conventions - Config via env vars (`WORKDIR`, `INSTANCE`, `BACKUPDIR`), matching the @@ -12,7 +12,14 @@ create-project`. The composer/Packagist dist ships source only and lacks the compiled frontend bundles, which leaves the UI broken (no graphs, 404s on `/v1/js/app.js`). The release zip is prebuilt. -Requires `curl`, `unzip`, `php`, and `sqlite3` on the host. +Requires `curl`, `unzip`, `php`, and `sqlite3` on the host. If `sha256sum` is +present, the download is verified against the release checksum, and the +extracted tree is validated (`artisan`, `bootstrap`, `vendor`, the compiled +frontend bundle) before the live swap. + +The upgrade commands follow the official self-managed upgrade docs +(`migrate --seed`, `cache:clear`, `view:clear`, `firefly-iii:upgrade-database`, +`firefly-iii:laravel-passport-keys`), with `--force` for non-interactive use. ## Usage diff --git a/firefly-update b/firefly-update index fe46d4a..e8209c5 100644 --- a/firefly-update +++ b/firefly-update @@ -141,12 +141,37 @@ echo "installing firefly-iii $tag" rm -rf "$UPDATED" mkdir -p "$UPDATED" zip="${WORKDIR}/firefly-${tag}.zip" -url="https://github.com/firefly-iii/firefly-iii/releases/download/${tag}/FireflyIII-${tag}.zip" -echo "downloading $url" -curl -fL -o "$zip" "$url" -unzip -q "$zip" -d "$UPDATED" +base="https://github.com/firefly-iii/firefly-iii/releases/download/${tag}/FireflyIII-${tag}.zip" +echo "downloading $base" +curl -fL -o "$zip" "$base" + +# Verify the archive against the release SHA256 if available and sha256sum is +# present. A truncated/corrupt download otherwise extracts garbage. +if command -v sha256sum >/dev/null && curl -fLs -o "${zip}.sha256" "${base}.sha256"; then + # The published file is "<hash> FireflyIII-<tag>.zip"; check against our path. + expected=$(cut -d' ' -f1 "${zip}.sha256") + actual=$(sha256sum "$zip" | cut -d' ' -f1) + rm -f "${zip}.sha256" + if [ "$expected" != "$actual" ]; then + echo "checksum mismatch: expected $expected, got $actual" >&2 + rm -f "$zip" + exit 1 + fi + echo "checksum OK" +fi + +# Exclude storage/ from extraction: we carry over the live storage below, and +# the zip's storage skeleton would only get in the way. +unzip -q "$zip" -x 'storage/*' -d "$UPDATED" rm -f "$zip" +# Validate the extracted tree before proceeding. A partial extract must not be +# allowed to replace the live install. $OLD does not exist yet at this point, +# so failing here leaves the live instance untouched (ERR trap + set -e). +for item in artisan bootstrap vendor public/v1/js/app.js; do + [ -e "${UPDATED}/${item}" ] || { echo "extracted install incomplete, missing: $item" >&2; exit 1; } +done + # Carry over config and user data. cp -a of dir/. copies contents incl. dotfiles, # and does not fail on an empty source directory. mkdir -p in case the zip # ships these dirs gitignored/absent. @@ -187,10 +212,14 @@ else echo "warning: sqlite3 not found, skipping oauth migration reconcile" >&2 fi -php artisan migrate --force -php artisan firefly-iii:upgrade-database -php artisan passport:install +# Upgrade sequence per the official self-managed upgrade docs, with --force +# (non-interactive) and the oauth reconcile above. laravel-passport-keys is the +# Firefly-specific passport step, not the generic passport:install. +php artisan migrate --force --seed php artisan cache:clear +php artisan view:clear +php artisan firefly-iii:upgrade-database +php artisan firefly-iii:laravel-passport-keys # Swap next version in. set -e above aborts before this if any step failed, # so a broken build never replaces the live install. |
