Skip to content

fix(desktop): identify updater traffic and add a GitHub manifest fallback#6038

Merged
SivanCola merged 1 commit into
esengine:main-v2from
SivanCola:fix/desktop-updater-ua-github-fallback
Jul 6, 2026
Merged

fix(desktop): identify updater traffic and add a GitHub manifest fallback#6038
SivanCola merged 1 commit into
esengine:main-v2from
SivanCola:fix/desktop-updater-ua-github-fallback

Conversation

@SivanCola

Copy link
Copy Markdown
Collaborator

Problem

dl.reasonix.io and crash.reasonix.io share one Cloudflare zone, so edge bot protection that scores a user's egress IP badly takes out both manifest endpoints at once — that is what #6005 reports (403 on the gateway, proxy on; the same wall CI already documents for Actions egress in release-desktop.yml). Two aggravating factors in the client:

Changes

  • Send a descriptive User-Agent: Reasonix-Updater/<version> (<os>/<arch>; <channel>) on manifest and artifact requests, so the release edge can allowlist updater traffic by UA and server logs can attribute it.
  • Append the GitHub compatibility manifest (releases/latest/download/latest.json) as the stable channel's last resort. This is safe despite the repo-wide-latest caveat: release.yml pins the latest badge to the CLI line and attaches the desktop-manifest mirror ("desktop manifest compatibility asset") to every stable CLI release, so that URL always serves the desktop manifest — from infrastructure outside the shared Cloudflare zone. Canary has no GitHub release and stays two-deep.
  • Keep every endpoint's failure via errors.Join so a failed check shows the whole chain.

TestChannelSelectsDistinctPointers updated: the GitHub fallback is allowed only in stable's explicit last slot; all other slots still reject repository-wide /releases/latest.

Testing

  • go test . in desktop/ passes (full package, -count=1).

Remaining ops (not addressable in code)

#6005's root cause still needs a Cloudflare WAF skip rule for GET /v1/desktop/releases/* (public, read-only, already cache-control: public) — this PR makes the client survive until that lands and gives the rule a UA to match on.

Refs #6005, #5858

…back

Both manifest endpoints (dl.reasonix.io, crash.reasonix.io) share one
Cloudflare zone, so bot protection that 403s a user's egress IP takes out
the whole chain at once (esengine#6005). Three changes:

- Send a descriptive User-Agent on manifest and artifact requests so the
  edge can allowlist updater traffic instead of scoring it as a generic
  Go client.
- Append the GitHub compatibility manifest as the stable channel's last
  resort. release.yml pins the desktop-manifest mirror to the repo-wide
  latest release (the compatibility asset), so the URL always serves the
  desktop manifest, from infrastructure outside that Cloudflare zone.
- Keep every endpoint's failure via errors.Join instead of surfacing only
  whichever endpoint died last, so reports like esengine#6005 show the full chain.
@SivanCola SivanCola requested a review from esengine as a code owner July 5, 2026 20:26
@github-actions github-actions Bot added v2 Go rewrite (1.x) — main-v2 branch, active development desktop Wails desktop app (desktop/**) updater Auto-update / installer / release packaging labels Jul 5, 2026
@SivanCola SivanCola merged commit 1f46e71 into esengine:main-v2 Jul 6, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

desktop Wails desktop app (desktop/**) updater Auto-update / installer / release packaging v2 Go rewrite (1.x) — main-v2 branch, active development

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant