Skip to content

[Depends on #3828] feat(installer): stage hosted install assets#3853

Merged
yiliang114 merged 5 commits into
codex/installer-release-assetsfrom
codex/installer-hosted-entrypoint
May 11, 2026
Merged

[Depends on #3828] feat(installer): stage hosted install assets#3853
yiliang114 merged 5 commits into
codex/installer-release-assetsfrom
codex/installer-hosted-entrypoint

Conversation

@yiliang114
Copy link
Copy Markdown
Collaborator

@yiliang114 yiliang114 commented May 5, 2026
edited
Loading

Summary

  • What changed: stages the hosted installer entrypoint assets (install-qwen.sh and install-qwen.bat) from the source-tracking installer scripts, writes SHA256SUMS for upload verification, and documents how the staged files should be synced to the hosted installation path.
  • Why it changed: GitHub Releases should stay focused on standalone archives, while the public quick-install entrypoint should be served from a stable hosted URL. This PR prepares the hosted installer assets without adding per-release installer assets.
  • Reviewer focus: hosted asset staging, checksum coverage, and whether the docs clearly distinguish hosted installer assets from GitHub Release standalone archives.

Scope

This PR intentionally does not add an extensionless install GitHub Release asset and does not upload install-qwen.sh / install-qwen.bat to GitHub Releases.

The hosted install flow remains OS-specific at the script layer:

curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.sh | bash
curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.sh | bash -s -- --version vX.Y.Z
$installer = Join-Path $env:TEMP 'install-qwen.bat'
Invoke-WebRequest 'https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.bat' -OutFile $installer
& $installer --version vX.Y.Z

The installer still downloads the matching platform-specific standalone archive, so this remains on the standalone/binary installation track.

Hosted Upload Status

The hosted OSS objects currently exist: curl -fsSIL returns 200 OK for both installation/install-qwen.sh and installation/install-qwen.bat as of 2026-05-07.

This PR only stages the files and checksums needed to update those hosted objects. It does not automate the OSS/CDN upload step. Until a follow-up release automation step is added, release operators should run npm run package:hosted-installation and sync the staged files byte-for-byte to the hosted paths.

Validation

Commands run:

npm run test:scripts
npx eslint scripts/build-hosted-installation-assets.js scripts/tests/install-script.test.js
npx prettier --check scripts/build-hosted-installation-assets.js scripts/tests/install-script.test.js scripts/installation/INSTALLATION_GUIDE.md
bash -n scripts/installation/install-qwen-with-source.sh
git diff --check
curl -fsSIL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.sh
curl -fsSIL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.bat

Observed: npm run test:scripts reports 43 passed and 4 Windows-only tests skipped on macOS. eslint, prettier, shell syntax, whitespace checks, and hosted URL HEAD checks are clean.

Scope / Risk

  • No CLI runtime behavior change.
  • No public quick-install URL switch in this PR.
  • No GitHub Release asset upload change in this PR.
  • The hosted staging command rejects stale unexpected files and rewrites SHA256SUMS from scratch.
  • The staged SHA256SUMS entries are emitted in installer filename order for stable diffs.
  • The hosted staging command checks that both source installers still support --version, QWEN_INSTALL_VERSION, and the latest default needed by the hosted entrypoint.
  • Actual OSS/CDN upload automation is still outside this PR and should remain a follow-up release operation.

Testing Matrix

🍏 🪟 🐧
npm run ⚠️ ⚠️
npx ⚠️ ⚠️
Docker N/A N/A N/A
Podman N/A N/A N/A
Seatbelt N/A N/A N/A

Testing matrix notes:

  • macOS local focused script checks passed.
  • Windows and Linux are covered by repository CI for this PR.

Linked Issues / Bugs

Related #3728

Depends on #3828

@yiliang114 yiliang114 force-pushed the codex/installer-hosted-entrypoint branch from 10e27d5 to a205e6c Compare May 5, 2026 12:15
@yiliang114 yiliang114 marked this pull request as ready for review May 5, 2026 12:52
@yiliang114 yiliang114 requested a review from wenshao May 5, 2026 12:54
@yiliang114
Copy link
Copy Markdown
Collaborator Author

yiliang114 commented May 5, 2026

@copilot pls review for me

Copy link
Copy Markdown
Contributor

Copilot AI commented May 5, 2026

@copilot pls review for me

Code Review Summary

The change is correct, well-scoped, and all 40 tests pass (npm run test:scripts). Here are my findings:

What the PR does
Adds an extensionless install release asset that is a byte-for-byte copy of install-qwen.sh (both sourced from install-qwen-with-source.sh). It is uploaded in the release workflow and included in SHA256SUMS.

✅ Looks good

  • scripts/release-asset-config.js: The new entry is correct — same source file, mode: 0o755, placed logically between install-qwen.sh and install-qwen.bat. The comment "keep byte-for-byte identical" is helpful.
  • .github/workflows/release.yml: The dist/standalone/install \ line is correctly placed and will be picked up by the build-installation-assets script during packaging.
  • scripts/tests/install-script.test.js: Strong test coverage — verifies the alias is built, is byte-identical to install-qwen.sh, has executable permissions, appears in SHA256SUMS (via the precise /\sinstall\n/ regex that won't false-match install-qwen.sh), and that both the workflow and guide reference the new asset.
  • Documentation: The INSTALLATION_GUIDE.md correctly lists install under release artifacts, explains its relationship to install-qwen.sh, and clearly marks the hosted endpoint (https://qwen-code.ai/install) as not yet live.

⚠️ Minor observation (non-blocking)

  • The checksum regex toMatch(/\sinstall\n/) uses a Unix \n newline. If SHA256SUMS ever gets generated on Windows with \r\n endings, this test would fail. Consider toMatch(/\sinstall(\r?\n|$)/) for robustness. Low risk in practice since SHA256SUMS generation is a Unix shell step.
  • The INSTALLATION_GUIDE.md section header still reads "GitHub releases publish these standalone archives" but now includes installer scripts (install, install-qwen.sh, install-qwen.bat). This existed before this PR (pre-existing issue), but could be renamed to "Release Assets" for accuracy.

Verdict: ✅ Approved with minor suggestions above. The implementation is clean and the risk is low since the install asset is purely additive (new file name, no changes to existing assets or install flows).

@yiliang114 yiliang114 mentioned this pull request May 5, 2026
Draft
@yiliang114 yiliang114 changed the base branch from codex/installer-release-assets to main May 5, 2026 13:21
@yiliang114 yiliang114 marked this pull request as draft May 5, 2026 13:21
wenshao
wenshao requested changes May 5, 2026
View reviewed changes
Comment thread scripts/installation/install-qwen-with-source.bat
wenshao
wenshao reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@wenshao wenshao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this is a tight, well-tested change — adding a second INSTALLATION_ASSETS entry that maps the same source to install is the cleanest way to introduce the alias, and the byte-equality test plus SHA256SUMS coverage prevent silent drift.

A few inline notes below. The main ask is reverting the unrelated package-lock.json line so the diff stays focused. The rest are nits.

One non-inline observation: the docs reference https://qwen-code.ai/install while explicitly noting the endpoint isn't live. That's honest, but it would be worth filing/linking a tracking issue for actually wiring up the endpoint so the asset doesn't sit unused indefinitely.

Comment thread package-lock.json
Comment thread scripts/tests/install-script.test.js Outdated
Comment thread scripts/tests/install-script.test.js Outdated
Comment thread .github/workflows/release.yml Outdated
@yiliang114 yiliang114 mentioned this pull request May 6, 2026
Open
@yiliang114 yiliang114 changed the base branch from main to codex/installer-release-assets May 7, 2026 03:45
@yiliang114 yiliang114 force-pushed the codex/installer-hosted-entrypoint branch from 16a4af9 to 587dc1f Compare May 7, 2026 08:55
@yiliang114 yiliang114 changed the title feat(installer): add hosted install release alias feat(installer): stage hosted install assets May 7, 2026
@yiliang114 yiliang114 changed the title feat(installer): stage hosted install assets [Depends on #3828] feat(installer): stage hosted install assets May 7, 2026
@yiliang114
fix(installer): tighten hosted default-version check, flag legacy URL
2e4086a 
- Replace the loose `latest` fragment check with per-format regex patterns
  in HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS so an unrelated occurrence
  of `latest` (comment, help text) cannot satisfy the staging guard. The
  patterns still tolerate whitespace variation, only the default-version
  assignment itself must be intact.
- Add a "Hosted endpoint status" callout in INSTALLATION_GUIDE.md before
  the curl examples. The documented `--version` flow does not work against
  the OSS URL today because it currently serves the legacy NVM-based
  installer; the callout points users at a local checkout until the next
  release sync.
- Tests: drop `latest` from the fragments equality assertion, add positive
  and negative regex coverage, add a failure-path case for sources whose
  default version is not `latest`, and pin the new guide markers so the
  callout cannot silently disappear.
@yiliang114
Copy link
Copy Markdown
Collaborator Author

yiliang114 commented May 7, 2026
edited
Loading

Latest local validation for this PR (head 2e4086a):

  • npm run test:scripts: 44 passed, 4 Windows-only tests skipped on macOS
  • npx eslint scripts/build-hosted-installation-assets.js scripts/tests/install-script.test.js: passed
  • npx prettier --check scripts/build-hosted-installation-assets.js scripts/tests/install-script.test.js scripts/installation/INSTALLATION_GUIDE.md package.json: passed
  • bash -n scripts/installation/install-qwen-with-source.sh: passed
  • git diff --check origin/codex/installer-release-assets...HEAD: passed

Hosted-related test cases (all green):

✓ loads the hosted installation asset staging helper
✓ installer scripts honor --version for hosted entrypoints
✓ stages hosted installation assets with checksums
✓ rejects hosted installer sources missing pinned install behavior
✓ rejects hosted installer sources whose default version is not latest
✓ rejects stale hosted installation assets in the output directory

Staging output (npm run package:hosted-installation):

dist/installation/
├── install-qwen.bat   28K  -rw-r--r--
├── install-qwen.sh    28K  -rwxr-xr-x
└── SHA256SUMS         165  -rw-r--r--

SHA256SUMS contents (alphabetical, sorted by writeHostedSha256Sums):
4dd529739b55db277d6cc9c602e1de730e6ab6bff468d76c399d30d15dcda8d1  install-qwen.bat
3db108edae9433d97807e5f3764f2ec4113d9ece700d3fdaa4fa4c051fe98cc1  install-qwen.sh

Integrity checks:

$ diff dist/installation/install-qwen.sh scripts/installation/install-qwen-with-source.sh && echo OK
OK
$ diff dist/installation/install-qwen.bat scripts/installation/install-qwen-with-source.bat && echo OK
OK
$ (cd dist/installation && shasum -a 256 -c SHA256SUMS)
install-qwen.bat: OK
install-qwen.sh: OK

Stale-output protection:

$ touch dist/installation/install   # leftover from a prior alias-file iteration
$ npm run package:hosted-installation
ERROR: Unexpected hosted installer asset: install

Hosted URL probes (2026-05-07):

$ curl -fsI https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.sh
HTTP/1.1 200 OK
Content-Type: application/x-sh
Content-Length: 18372
Last-Modified: Wed, 11 Mar 2026 10:59:01 GMT

$ curl -fsI https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.bat
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 9959
Last-Modified: Wed, 11 Mar 2026 10:59:01 GMT

The OSS URLs are reachable but currently serve the older NVM-based installer (size and Last-Modified above), which is why INSTALLATION_GUIDE.md adds the explicit Hosted endpoint status callout. This PR only stages the files and checksums; OSS/CDN upload remains a follow-up release operation.

@yiliang114 yiliang114 marked this pull request as ready for review May 7, 2026 11:22
yiliang114 added a commit that referenced this pull request May 7, 2026
@yiliang114
refactor(installer): align verify with standalone-only release surface
c8e657a 
The previous draft imported INSTALLATION_ASSET_NAMES and verified
install / install-qwen.sh / install-qwen.bat as release assets, but those
were removed in #3828 (per-release installer publishing dropped) and
#3853 (install alias dropped). The verifier now targets only standalone
archives + SHA256SUMS, both for --dir and --base-url modes, and the
release workflow Verify step is anchored after Build Standalone Archives.

Local --dir mode:
- All five qwen-code-{platform}.{ext} archives must exist.
- SHA256SUMS must cover exactly those five — missing or extra entries fail.
- Each archive's actual SHA256 must match its SHA256SUMS entry.

Remote --base-url mode:
- SHA256SUMS is downloadable, parseable, and contains the expected entries.
- Each archive URL is reachable via HEAD, with a 1-byte ranged GET fallback
  for hosts that disable HEAD.

Hosted installer scripts (install-qwen.sh / install-qwen.bat) are
intentionally out of scope here — they are served from the hosted endpoint
prepared by package:hosted-installation, not from the GitHub Release surface
this verifier targets.
yiliang114 added a commit that referenced this pull request May 7, 2026
@yiliang114
feat(installer): verify installation release assets
4100b8e 
Adds `npm run verify:installation-release` and wires it into the release
workflow after `Build Standalone Archives`, so a broken release directory
fails CI before publishing.

Local mode (`--dir PATH`) checks:
- All five `qwen-code-{platform}.{ext}` standalone archives exist.
- `SHA256SUMS` covers exactly those five — missing or unexpected entries fail.
- Each archive's actual SHA256 matches its `SHA256SUMS` entry.

Remote mode (`--base-url URL`) checks:
- `SHA256SUMS` is downloadable, parseable, and contains exactly the expected
  archive entries.
- Each archive URL is reachable via HEAD, with a 1-byte ranged GET fallback
  for hosts that disable HEAD.

Hosted installer scripts (`install-qwen.sh` / `install-qwen.bat`) are
intentionally out of scope here — they are served from the hosted endpoint
prepared by `package:hosted-installation` (PR #3853), not from the GitHub
Release surface this verifier targets.
@yiliang114 yiliang114 requested a review from wenshao May 7, 2026 13:14
wenshao
wenshao approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@wenshao wenshao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found. LGTM! ✅ — DeepSeek/deepseek-v4-pro via Qwen Code /review

@yiliang114 yiliang114 merged commit 2e4086a into codex/installer-release-assets May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wenshao wenshao wenshao approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yiliang114 @wenshao