fix(desktop): identify updater traffic and add a GitHub manifest fallback#6038
Merged
SivanCola merged 1 commit intoJul 6, 2026
Merged
Conversation
…back Both manifest endpoints (dl.reasonix.io, crash.reasonix.io) share one Cloudflare zone, so bot protection that 403s a user's egress IP takes out the whole chain at once (esengine#6005). Three changes: - Send a descriptive User-Agent on manifest and artifact requests so the edge can allowlist updater traffic instead of scoring it as a generic Go client. - Append the GitHub compatibility manifest as the stable channel's last resort. release.yml pins the desktop-manifest mirror to the repo-wide latest release (the compatibility asset), so the URL always serves the desktop manifest, from infrastructure outside that Cloudflare zone. - Keep every endpoint's failure via errors.Join instead of surfacing only whichever endpoint died last, so reports like esengine#6005 show the full chain.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
dl.reasonix.ioandcrash.reasonix.ioshare one Cloudflare zone, so edge bot protection that scores a user's egress IP badly takes out both manifest endpoints at once — that is what #6005 reports (403 on the gateway, proxy on; the same wall CI already documents for Actions egress in release-desktop.yml). Two aggravating factors in the client:Go-http-clientUA — exactly the profile bot protection scores worst, and impossible to allowlist server-side.fetchManifestonly surfaces whichever endpoint failed last, so [Bug]: 更新检查失败,获取 latest.json 清单返回 403 Forbidden #6005-style reports show the gateway 403 but hide that the R2 pointer failed too.Changes
User-Agent: Reasonix-Updater/<version> (<os>/<arch>; <channel>)on manifest and artifact requests, so the release edge can allowlist updater traffic by UA and server logs can attribute it.releases/latest/download/latest.json) as the stable channel's last resort. This is safe despite the repo-wide-latest caveat: release.yml pins the latest badge to the CLI line and attaches the desktop-manifest mirror ("desktop manifest compatibility asset") to every stable CLI release, so that URL always serves the desktop manifest — from infrastructure outside the shared Cloudflare zone. Canary has no GitHub release and stays two-deep.errors.Joinso a failed check shows the whole chain.TestChannelSelectsDistinctPointersupdated: the GitHub fallback is allowed only in stable's explicit last slot; all other slots still reject repository-wide/releases/latest.Testing
go test .indesktop/passes (full package,-count=1).Remaining ops (not addressable in code)
#6005's root cause still needs a Cloudflare WAF skip rule for
GET /v1/desktop/releases/*(public, read-only, alreadycache-control: public) — this PR makes the client survive until that lands and gives the rule a UA to match on.Refs #6005, #5858