Validate downloaded assets are real archives before publishing#3
Open
lcatlett wants to merge 2 commits intoadwinying:masterfrom
Open
Validate downloaded assets are real archives before publishing#3lcatlett wants to merge 2 commits intoadwinying:masterfrom
lcatlett wants to merge 2 commits intoadwinying:masterfrom
Conversation
The upstream dl.static-php.dev/static-php-cli/bulk/ endpoint has been returning 404 HTML pages since ~Feb 2026. Without validation, these 2KB HTML error pages were silently uploaded as release assets, breaking all consumers (e.g. mise install). Changes: - Add --fail flag to curl calls so HTTP errors cause immediate failure - Validate each downloaded file with `file` to confirm it's actually a gzip archive (.tar.gz) or Zip archive (.zip) before proceeding - Fail the workflow with clear error messages if validation fails
The JSON API returns full_path with a leading slash (e.g. /static-php-cli/bulk/php-8.4.19-cli-linux-x86_64.tar.gz). Concatenating this with the base URL using "$base/$path" produced a double-slash URL (https://dl.static-php.dev//static-php-cli/...). The server previously normalized double slashes, but stopped doing so around Feb/March 2026, causing all downloads to return 404 HTML pages. This is the actual root cause of the broken release assets. Fix: use "${base}${path}" instead of "${base}/${path}" since full_path already includes the leading slash.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dl.static-php.dev/static-php-cli/bulk/endpoint has been returning 404 HTML pages since ~Feb 2026.tar.gzrelease assetsmise installand other consumers to fail with "invalid gzip header"Changes
--fail(-f) flag to allcurlcalls so HTTP 4xx/5xx responses cause immediate failure instead of writing error pages to diskfile— confirm.tar.gzfiles aregzip compressedand.zipfiles areZip archive::error::message identifying the bad file and likely causeTest plan
::error::annotation appears in the GitHub Actions UI on failure