fix: 避免更新包覆盖配置文件

Author: orange-juzipi

.github/workflows/release.yml

@@ -100,33 +100,33 @@ jobs:
           echo "Build macOS..."
           mkdir -p build/darwin-amd64 build/darwin-arm64
           GOOS=darwin  GOARCH=amd64  go build -ldflags="${STRIP_LDFLAGS}" -trimpath -o build/darwin-amd64/anssl main.go
-          cp config.example.yaml build/darwin-amd64/config.yaml
-          tar -C build/darwin-amd64 -czf release/anssl-darwin-amd64.tar.gz anssl config.yaml
+          cp config.example.yaml build/darwin-amd64/config.example.yaml
+          tar -C build/darwin-amd64 -czf release/anssl-darwin-amd64.tar.gz anssl config.example.yaml
           GOOS=darwin  GOARCH=arm64  go build -ldflags="${STRIP_LDFLAGS}" -trimpath -o build/darwin-arm64/anssl main.go
-          cp config.example.yaml build/darwin-arm64/config.yaml
-          tar -C build/darwin-arm64 -czf release/anssl-darwin-arm64.tar.gz anssl config.yaml
+          cp config.example.yaml build/darwin-arm64/config.example.yaml
+          tar -C build/darwin-arm64 -czf release/anssl-darwin-arm64.tar.gz anssl config.example.yaml
 
           echo "Build Linux..."
           mkdir -p build/linux-amd64 build/linux-arm64
           GOOS=linux   GOARCH=amd64  go build -ldflags="${STRIP_LDFLAGS}" -trimpath -o build/linux-amd64/anssl main.go
           echo "UPX compress linux-amd64..."
           upx --best build/linux-amd64/anssl || echo "⚠️ ignore UPX failure: linux-amd64"
-          cp config.example.yaml build/linux-amd64/config.yaml
-          tar -C build/linux-amd64 -czf release/anssl-linux-amd64.tar.gz anssl config.yaml
+          cp config.example.yaml build/linux-amd64/config.example.yaml
+          tar -C build/linux-amd64 -czf release/anssl-linux-amd64.tar.gz anssl config.example.yaml
           GOOS=linux   GOARCH=arm64  go build -ldflags="${STRIP_LDFLAGS}" -trimpath -o build/linux-arm64/anssl main.go
           echo "UPX compress linux-arm64..."
           upx --best build/linux-arm64/anssl || echo "⚠️ ignore UPX failure: linux-arm64"
-          cp config.example.yaml build/linux-arm64/config.yaml
-          tar -C build/linux-arm64 -czf release/anssl-linux-arm64.tar.gz anssl config.yaml
+          cp config.example.yaml build/linux-arm64/config.example.yaml
+          tar -C build/linux-arm64 -czf release/anssl-linux-arm64.tar.gz anssl config.example.yaml
 
           echo "Build Windows..."
           mkdir -p build/windows-amd64 build/windows-arm64
           GOOS=windows GOARCH=amd64  go build -ldflags="${BASE_LDFLAGS}" -trimpath -o build/windows-amd64/anssl.exe main.go
-          cp config.example.yaml build/windows-amd64/config.yaml
-          (cd build/windows-amd64 && zip -q ../../release/anssl-windows-amd64.zip anssl.exe config.yaml)
+          cp config.example.yaml build/windows-amd64/config.example.yaml
+          (cd build/windows-amd64 && zip -q ../../release/anssl-windows-amd64.zip anssl.exe config.example.yaml)
           GOOS=windows GOARCH=arm64  go build -ldflags="${BASE_LDFLAGS}" -trimpath -o build/windows-arm64/anssl.exe main.go
-          cp config.example.yaml build/windows-arm64/config.yaml
-          (cd build/windows-arm64 && zip -q ../../release/anssl-windows-arm64.zip anssl.exe config.yaml)
+          cp config.example.yaml build/windows-arm64/config.example.yaml
+          (cd build/windows-arm64 && zip -q ../../release/anssl-windows-arm64.zip anssl.exe config.example.yaml)
 
       - name: Show build info
         run: |

Makefile

@@ -1,5 +1,9 @@
 .PHONY: build build-mac build-linux build-windows compress build-compress proto clean install
 
+VERSION ?= $(shell git describe --tags --abbrev=0 2>/dev/null || echo dev)
+BASE_LDFLAGS := -X github.com/https-cert/deploy/internal/config.Version=$(VERSION)
+STRIP_LDFLAGS := -s -w $(BASE_LDFLAGS)
+
 # 默认目标
 all: proto build
 
@@ -11,50 +15,50 @@ build: build-mac build-linux build-windows
 build-mac:
 	@echo "构建 Mac 版本..."
 	@mkdir -p bin bin/darwin-amd64 bin/darwin-arm64
-	@GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o bin/darwin-amd64/anssl main.go
-	@cp config.example.yaml bin/darwin-amd64/config.yaml
-	@tar -C bin/darwin-amd64 -czf bin/anssl-darwin-amd64.tar.gz anssl config.yaml
-	@GOOS=darwin GOARCH=arm64 go build -ldflags="-s -w" -trimpath -o bin/darwin-arm64/anssl main.go
-	@cp config.example.yaml bin/darwin-arm64/config.yaml
-	@tar -C bin/darwin-arm64 -czf bin/anssl-darwin-arm64.tar.gz anssl config.yaml
+	@GOOS=darwin GOARCH=amd64 go build -ldflags="$(STRIP_LDFLAGS)" -trimpath -o bin/darwin-amd64/anssl main.go
+	@cp config.example.yaml bin/darwin-amd64/config.example.yaml
+	@tar -C bin/darwin-amd64 -czf bin/anssl-darwin-amd64.tar.gz anssl config.example.yaml
+	@GOOS=darwin GOARCH=arm64 go build -ldflags="$(STRIP_LDFLAGS)" -trimpath -o bin/darwin-arm64/anssl main.go
+	@cp config.example.yaml bin/darwin-arm64/config.example.yaml
+	@tar -C bin/darwin-arm64 -czf bin/anssl-darwin-arm64.tar.gz anssl config.example.yaml
 	@rm -rf bin/darwin-amd64 bin/darwin-arm64
 	@echo "Mac 版本构建完成"
 
 # 构建 Linux 版本（打包为 tar.gz，内部二进制名为 anssl）
 build-linux:
 	@echo "构建 Linux 版本..."
 	@mkdir -p bin bin/linux-amd64 bin/linux-arm64
-	@GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o bin/linux-amd64/anssl main.go
+	@GOOS=linux GOARCH=amd64 go build -ldflags="$(STRIP_LDFLAGS)" -trimpath -o bin/linux-amd64/anssl main.go
 	@echo "尝试使用 UPX 压缩 linux-amd64 二进制..."
 	@if command -v upx >/dev/null 2>&1; then \
 		upx --best bin/linux-amd64/anssl || echo "UPX 压缩失败（linux-amd64），已忽略"; \
 	else \
 		echo "UPX 未安装，跳过 linux-amd64 压缩"; \
 	fi
-	@cp config.example.yaml bin/linux-amd64/config.yaml
-	@tar -C bin/linux-amd64 -czf bin/anssl-linux-amd64.tar.gz anssl config.yaml
-	@GOOS=linux GOARCH=arm64 go build -ldflags="-s -w" -trimpath -o bin/linux-arm64/anssl main.go
+	@cp config.example.yaml bin/linux-amd64/config.example.yaml
+	@tar -C bin/linux-amd64 -czf bin/anssl-linux-amd64.tar.gz anssl config.example.yaml
+	@GOOS=linux GOARCH=arm64 go build -ldflags="$(STRIP_LDFLAGS)" -trimpath -o bin/linux-arm64/anssl main.go
 	@echo "尝试使用 UPX 压缩 linux-arm64 二进制..."
 	@if command -v upx >/dev/null 2>&1; then \
 		upx --best bin/linux-arm64/anssl || echo "UPX 压缩失败（linux-arm64），已忽略"; \
 	else \
 		echo "UPX 未安装，跳过 linux-arm64 压缩"; \
 	fi
-	@cp config.example.yaml bin/linux-arm64/config.yaml
-	@tar -C bin/linux-arm64 -czf bin/anssl-linux-arm64.tar.gz anssl config.yaml
+	@cp config.example.yaml bin/linux-arm64/config.example.yaml
+	@tar -C bin/linux-arm64 -czf bin/anssl-linux-arm64.tar.gz anssl config.example.yaml
 	@rm -rf bin/linux-amd64 bin/linux-arm64
 	@echo "Linux 版本构建完成"
 
 # 构建 Windows 版本（打包为 zip，内部二进制名为 anssl.exe）
 build-windows:
 	@echo "构建 Windows 版本..."
 	@mkdir -p bin bin/windows-amd64 bin/windows-arm64
-	@GOOS=windows GOARCH=amd64 go build -trimpath -o bin/windows-amd64/anssl.exe main.go
-	@cp config.example.yaml bin/windows-amd64/config.yaml
-	@cd bin/windows-amd64 && zip -q ../../bin/anssl-windows-amd64.zip anssl.exe config.yaml
-	@GOOS=windows GOARCH=arm64 go build -trimpath -o bin/windows-arm64/anssl.exe main.go
-	@cp config.example.yaml bin/windows-arm64/config.yaml
-	@cd bin/windows-arm64 && zip -q ../../bin/anssl-windows-arm64.zip anssl.exe config.yaml
+	@GOOS=windows GOARCH=amd64 go build -ldflags="$(BASE_LDFLAGS)" -trimpath -o bin/windows-amd64/anssl.exe main.go
+	@cp config.example.yaml bin/windows-amd64/config.example.yaml
+	@cd bin/windows-amd64 && zip -q ../../bin/anssl-windows-amd64.zip anssl.exe config.example.yaml
+	@GOOS=windows GOARCH=arm64 go build -ldflags="$(BASE_LDFLAGS)" -trimpath -o bin/windows-arm64/anssl.exe main.go
+	@cp config.example.yaml bin/windows-arm64/config.example.yaml
+	@cd bin/windows-arm64 && zip -q ../../bin/anssl-windows-arm64.zip anssl.exe config.example.yaml
 	@rm -rf bin/windows-amd64 bin/windows-arm64
 	@echo "Windows 版本构建完成"
 

README.md

@@ -23,19 +23,20 @@
 wget https://github.com/https-cert/deploy/releases/latest/download/anssl-linux-amd64.tar.gz
 tar -xzf anssl-linux-amd64.tar.gz
 chmod +x anssl
+cp -n config.example.yaml config.yaml
 sudo mv anssl /usr/local/bin/
 ```
 
 ### 2. 配置
 
-发布包中已包含 `config.yaml` 模板。启动前请修改其中的 `accessKey` 和需要启用的部署目标。
-
-如果从源码运行，可以复制模板：
+发布包中只包含 `config.example.yaml` 模板，不包含真实的 `config.yaml`，避免手动解压更新时覆盖已有配置。首次安装时请复制模板并修改其中的 `accessKey` 和需要启用的部署目标：
 
 ```bash
 cp config.example.yaml config.yaml
 ```
 
+后续更新时只替换 `anssl` 可执行文件即可，不需要重新复制配置模板。
+
 `config.yaml` 示例：
 
 ```yaml

README_EN.md

@@ -23,19 +23,20 @@ Download the binary for your OS from [GitHub Releases](https://github.com/https-
 wget https://github.com/https-cert/deploy/releases/latest/download/anssl-linux-amd64.tar.gz
 tar -xzf anssl-linux-amd64.tar.gz
 chmod +x anssl
+cp -n config.example.yaml config.yaml
 sudo mv anssl /usr/local/bin/
 ```
 
 ### 2. Configure
 
-Release archives include a `config.yaml` template. Before starting, edit its `accessKey` and any deployment targets you want to enable.
-
-If you run from source, copy the template first:
+Release archives include only `config.example.yaml`, not a real `config.yaml`, so manually extracting an update will not overwrite an existing configuration. On first install, copy the template and edit its `accessKey` and any deployment targets you want to enable:
 
 ```bash
 cp config.example.yaml config.yaml
 ```
 
+For later updates, replace only the `anssl` executable; you do not need to copy the configuration template again.
+
 `config.yaml` example:
 
 ```yaml

internal/config/config.go

@@ -11,7 +11,6 @@ import (
 
 var (
 	Config   *Configuration
-	Version  = "v0.5.6"
 	URL      = URLProd
 	URLProd  = "https://anssl.cn/deploy"
 	URLLocal = "http://localhost:9000/deploy"

internal/config/version.go

@@ -0,0 +1,8 @@
+package config
+
+// Version is injected by release builds with:
+//
+//	go build -ldflags="-X github.com/https-cert/deploy/internal/config.Version=vX.Y.Z"
+//
+// Development builds keep "dev" to avoid shipping stale hard-coded versions.
+var Version = "dev"

internal/updater/updater.go

@@ -1,6 +1,7 @@
 package updater
 
 import (
+	"archive/tar"
 	"archive/zip"
 	"compress/gzip"
 	"context"
@@ -18,8 +19,6 @@ import (
 	"strings"
 	"time"
 
-	"archive/tar"
-
 	"github.com/https-cert/deploy/internal/config"
 	"github.com/https-cert/deploy/pkg/logger"
 )
@@ -435,6 +434,14 @@ func getBinaryName() string {
 	return name
 }
 
+// getExecutableName 根据当前系统获取压缩包内的可执行文件名
+func getExecutableName() string {
+	if runtime.GOOS == "windows" {
+		return "anssl.exe"
+	}
+	return "anssl"
+}
+
 // downloadFile 下载文件
 func downloadFile(ctx context.Context, downloadURL, filepath string) error {
 	var lastErr error
@@ -494,6 +501,14 @@ func downloadFileOnce(ctx context.Context, downloadURL, filepath string) error {
 // extractBinary 从下载的文件中提取可执行文件。
 // 支持 .tar.gz、.zip，如果是普通文件则直接返回原路径。
 func extractBinary(downloadPath, tempDir string) (string, error) {
+	return extractBinaryNamed(downloadPath, tempDir, getExecutableName())
+}
+
+func extractBinaryNamed(downloadPath, tempDir, executableName string) (string, error) {
+	if executableName == "" {
+		return "", fmt.Errorf("可执行文件名不能为空")
+	}
+
 	name := filepath.Base(downloadPath)
 
 	// tar.gz 压缩包
@@ -525,21 +540,18 @@ func extractBinary(downloadPath, tempDir string) (string, error) {
 				continue
 			}
 
-			dstPath := filepath.Join(tempDir, filepath.Base(hdr.Name))
-			out, err := os.Create(dstPath)
-			if err != nil {
-				return "", err
+			if filepath.Base(hdr.Name) != executableName {
+				continue
 			}
 
-			if _, err := io.Copy(out, tr); err != nil {
-				out.Close()
+			dstPath := filepath.Join(tempDir, executableName)
+			if err := writeExtractedBinary(dstPath, tr); err != nil {
 				return "", err
 			}
-			out.Close()
 			return dstPath, nil
 		}
 
-		return "", fmt.Errorf("压缩包中未找到可执行文件")
+		return "", fmt.Errorf("压缩包中未找到可执行文件: %s", executableName)
 	}
 
 	// zip 压缩包
@@ -555,36 +567,50 @@ func extractBinary(downloadPath, tempDir string) (string, error) {
 				continue
 			}
 
+			if filepath.Base(f.Name) != executableName {
+				continue
+			}
+
 			rc, err := f.Open()
 			if err != nil {
 				return "", err
 			}
 
-			dstPath := filepath.Join(tempDir, filepath.Base(f.Name))
-			out, err := os.Create(dstPath)
-			if err != nil {
+			dstPath := filepath.Join(tempDir, executableName)
+			if err := writeExtractedBinary(dstPath, rc); err != nil {
 				rc.Close()
 				return "", err
 			}
 
-			if _, err := io.Copy(out, rc); err != nil {
-				rc.Close()
-				out.Close()
+			if err := rc.Close(); err != nil {
 				return "", err
 			}
 
-			rc.Close()
-			out.Close()
 			return dstPath, nil
 		}
 
-		return "", fmt.Errorf("压缩包中未找到可执行文件")
+		return "", fmt.Errorf("压缩包中未找到可执行文件: %s", executableName)
 	}
 
 	// 普通文件，直接返回
 	return downloadPath, nil
 }
 
+func writeExtractedBinary(dstPath string, src io.Reader) (err error) {
+	out, err := os.OpenFile(dstPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0755)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if closeErr := out.Close(); err == nil {
+			err = closeErr
+		}
+	}()
+
+	_, err = io.Copy(out, src)
+	return err
+}
+
 // verifyChecksum 验证文件的 SHA256 校验和
 func verifyChecksum(binaryPath, checksumPath, binaryName string) error {
 	// 读取 checksums.txt