harden install.sh with preflight, unattended mode, version pinning#5
Merged
Conversation
mgorabbani
commented
Apr 20, 2026
mgorabbani
commented
Owner
- Hardened curl (--proto '=https' --tlsv1.2) for all fetches
- Preflight checks: disk, memory, architecture, port conflicts, registry reachability
- Unattended mode via ASKDB_UNATTENDED=1 + ASKDB_PROFILE/DOMAIN/ACME_EMAIL/CF_TUNNEL_TOKEN
- Version pinning via ASKDB_VERSION (defaults to main)
- Install logging to /var/log/askdb-install.log with error trap that dumps recent logs
- Backup .env to .env.bak on upgrade; atomic compose/Caddyfile replace
- Add shellcheck CI workflow
- Hardened curl (--proto '=https' --tlsv1.2) for all fetches - Preflight checks: disk, memory, architecture, port conflicts, registry reachability - Unattended mode via ASKDB_UNATTENDED=1 + ASKDB_PROFILE/DOMAIN/ACME_EMAIL/CF_TUNNEL_TOKEN - Version pinning via ASKDB_VERSION (defaults to main) - Install logging to /var/log/askdb-install.log with error trap that dumps recent logs - Backup .env to .env.bak on upgrade; atomic compose/Caddyfile replace - Add shellcheck CI workflow
- Safe default: stop containers only, preserve askdb-data volume - --purge: remove containers, volumes (askdb-data, caddy-data, caddy-config), and install dir - --backup <path>: tar the askdb-data volume before destructive actions - --remove-images: also delete docker images - ASKDB_UNATTENDED=1 skips confirmations for CI/automation - Installer now prints the uninstall one-liner in its success message
Triggers on v*.*.* tag push (or manual dispatch): - Builds linux/amd64 + linux/arm64 image, pushes to ghcr.io with semver tags (vX.Y.Z, vX.Y, vX, latest) + provenance + SBOM - Creates a GitHub Release with install.sh / uninstall.sh pinned to the tag, SHA256SUMS for verification, and an auto-generated changelog - Install one-liner documented in the release body
- install.sh: 230 -> 134 lines; drop preflight cruft, log-tee, fetch wrapper, prompt helper, error trap; keep root/OS check, docker bootstrap, interactive + env-var config, version pin, health wait - uninstall.sh: 145 -> 33 lines; just stop (default) or --purge - release.yml: drop SBOM/provenance, manual dispatch, custom changelog, install.sh sed-pinning, SHA256SUMS. Tag push -> multi-arch GHCR push + GH Release with install/uninstall attached and auto notes.
✅ Deploy Preview for askdb-mcp ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.