aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CLAUDE.md11
-rw-r--r--README.md9
-rw-r--r--firefly-update43
3 files changed, 55 insertions, 8 deletions
diff --git a/CLAUDE.md b/CLAUDE.md
index c1c103b..2c745ae 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -29,6 +29,17 @@ Debian. See README.md for usage; this file is the non-obvious context.
on the v2 error and login pages. Graphs breaking = missing `public/v1/js`
bundles (see the zip point above), a different cause.
+- **Upgrade artisan sequence follows the official self-managed docs**:
+ `migrate --seed`, `cache:clear`, `view:clear`, `firefly-iii:upgrade-database`,
+ `firefly-iii:laravel-passport-keys`. Use `firefly-iii:laravel-passport-keys`,
+ NOT `passport:install`. We add `--force` (non-interactive) and the oauth
+ reconcile before migrate. Docs also confirm composer create-project is no
+ longer recommended.
+
+- **Release `.sha256` format** is `<hash> *FireflyIII-<tag>.zip` (BSD-style,
+ space then `*`); `cut -d' ' -f1` gets the hash. The script verifies it when
+ `sha256sum` is available, and validates the extracted tree before swapping.
+
## Conventions
- Config via env vars (`WORKDIR`, `INSTANCE`, `BACKUPDIR`), matching the
diff --git a/README.md b/README.md
index caf5f8f..13892bf 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,14 @@ create-project`. The composer/Packagist dist ships source only and lacks the
compiled frontend bundles, which leaves the UI broken (no graphs, 404s on
`/v1/js/app.js`). The release zip is prebuilt.
-Requires `curl`, `unzip`, `php`, and `sqlite3` on the host.
+Requires `curl`, `unzip`, `php`, and `sqlite3` on the host. If `sha256sum` is
+present, the download is verified against the release checksum, and the
+extracted tree is validated (`artisan`, `bootstrap`, `vendor`, the compiled
+frontend bundle) before the live swap.
+
+The upgrade commands follow the official self-managed upgrade docs
+(`migrate --seed`, `cache:clear`, `view:clear`, `firefly-iii:upgrade-database`,
+`firefly-iii:laravel-passport-keys`), with `--force` for non-interactive use.
## Usage
diff --git a/firefly-update b/firefly-update
index fe46d4a..e8209c5 100644
--- a/firefly-update
+++ b/firefly-update
@@ -141,12 +141,37 @@ echo "installing firefly-iii $tag"
rm -rf "$UPDATED"
mkdir -p "$UPDATED"
zip="${WORKDIR}/firefly-${tag}.zip"
-url="https://github.com/firefly-iii/firefly-iii/releases/download/${tag}/FireflyIII-${tag}.zip"
-echo "downloading $url"
-curl -fL -o "$zip" "$url"
-unzip -q "$zip" -d "$UPDATED"
+base="https://github.com/firefly-iii/firefly-iii/releases/download/${tag}/FireflyIII-${tag}.zip"
+echo "downloading $base"
+curl -fL -o "$zip" "$base"
+
+# Verify the archive against the release SHA256 if available and sha256sum is
+# present. A truncated/corrupt download otherwise extracts garbage.
+if command -v sha256sum >/dev/null && curl -fLs -o "${zip}.sha256" "${base}.sha256"; then
+ # The published file is "<hash> FireflyIII-<tag>.zip"; check against our path.
+ expected=$(cut -d' ' -f1 "${zip}.sha256")
+ actual=$(sha256sum "$zip" | cut -d' ' -f1)
+ rm -f "${zip}.sha256"
+ if [ "$expected" != "$actual" ]; then
+ echo "checksum mismatch: expected $expected, got $actual" >&2
+ rm -f "$zip"
+ exit 1
+ fi
+ echo "checksum OK"
+fi
+
+# Exclude storage/ from extraction: we carry over the live storage below, and
+# the zip's storage skeleton would only get in the way.
+unzip -q "$zip" -x 'storage/*' -d "$UPDATED"
rm -f "$zip"
+# Validate the extracted tree before proceeding. A partial extract must not be
+# allowed to replace the live install. $OLD does not exist yet at this point,
+# so failing here leaves the live instance untouched (ERR trap + set -e).
+for item in artisan bootstrap vendor public/v1/js/app.js; do
+ [ -e "${UPDATED}/${item}" ] || { echo "extracted install incomplete, missing: $item" >&2; exit 1; }
+done
+
# Carry over config and user data. cp -a of dir/. copies contents incl. dotfiles,
# and does not fail on an empty source directory. mkdir -p in case the zip
# ships these dirs gitignored/absent.
@@ -187,10 +212,14 @@ else
echo "warning: sqlite3 not found, skipping oauth migration reconcile" >&2
fi
-php artisan migrate --force
-php artisan firefly-iii:upgrade-database
-php artisan passport:install
+# Upgrade sequence per the official self-managed upgrade docs, with --force
+# (non-interactive) and the oauth reconcile above. laravel-passport-keys is the
+# Firefly-specific passport step, not the generic passport:install.
+php artisan migrate --force --seed
php artisan cache:clear
+php artisan view:clear
+php artisan firefly-iii:upgrade-database
+php artisan firefly-iii:laravel-passport-keys
# Swap next version in. set -e above aborts before this if any step failed,
# so a broken build never replaces the live install.