fix: remove unauthenticated hosted core updates#9081
Conversation
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- Now that hosted core package support is removed, consider cleaning up any remaining configuration knobs related to it (e.g., ASTRBOT_CORE_PACKAGE_BASE_URL or similar constants) to avoid confusion for deployers.
- The log message in the hosted download fallback branch was removed along with the feature; double-check that remaining update-related log messages still accurately describe the current behavior and don’t reference a non-existent fallback path.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Now that hosted core package support is removed, consider cleaning up any remaining configuration knobs related to it (e.g., ASTRBOT_CORE_PACKAGE_BASE_URL or similar constants) to avoid confusion for deployers.
- The log message in the hosted download fallback branch was removed along with the feature; double-check that remaining update-related log messages still accurately describe the current behavior and don’t reference a non-existent fallback path.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Code Review
This pull request removes the logic for downloading AstrBot Core updates from a hosted mirror/registry, simplifying the update process to directly download from the release zipball URL. Associated tests have been updated and simplified to reflect this change. No review comments were provided, so there is no additional feedback to address.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
这个还需要讨论 |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
astrbot-docs | f2241c8 | Commit Preview URL Branch Preview URL |
Jun 30 2026, 05:55 AM |
Motivation
zipball_url) or explicit GitHub archive URLs to prevent arbitrary code execution from a compromised CDN/storage path.Description
_build_core_package_urllogic so the updater no longer constructs or prefers.../download/astrbot-core/{tag}/source.zip.zipfile.is_zipfile()before accepting it; the updater now always downloads the releasezipball_url(or the GitHub archive for commit hashes).tests/test_updator_socks.pyto assert that the releasezipball_urlis used for core package downloads and to remove assertions that relied on the hosted-package behavior.Testing
ruff formatandruff checkon the modified files (astrbot/core/updator.pyandtests/test_updator_socks.py), which completed successfully locally.pytestfor the targeted updater tests, but the test run was blocked by missing test runtime dependencypytest_asyncioin the environment, sopytestcould not be completed.uv-based formatting/check attempts were blocked by network/cache dependency resolution in this environment, andgit diff --checkreported no issues.Codex Task
Summary by Sourcery
Remove the unauthenticated hosted core update path so core updates are always fetched from trusted release metadata or GitHub archives.
Bug Fixes:
Tests: