Using Github Release to automatically check newest release about flow.launcher.pluginsmanifest HOT 6 CLOSED

        private async Task<UpdateManager> GitHubUpdateManager(string repository)
        {
            var uri = new Uri(repository);
            var api = $"https://api.github.com/repos{uri.AbsolutePath}/releases";


            var jsonStream = await Http.GetStreamAsync(api).ConfigureAwait(false);


            var releases = await System.Text.Json.JsonSerializer.DeserializeAsync<List<GithubRelease>>(jsonStream).ConfigureAwait(false);
            var latest = releases.Where(r => !r.Prerelease).OrderByDescending(r => r.PublishedAt).First();
            var latestUrl = latest.HtmlUrl.Replace("/tag/", "/download/");


            var client = new WebClient { Proxy = Http.WebProxy };
            var downloader = new FileDownloader(client);


            var manager = new UpdateManager(latestUrl, urlDownloader: downloader);


            return manager;
        }

from flow.launcher.pluginsmanifest.

Here are some idea.

1. Remove the version number in plugin.json, since it will not be updated here.
2. Add JsonDeserilization in PluginManager like what has done in Updater.cs.
3. Only add the project url in pluginmanifest instead of the direct downloadurl.

from flow.launcher.pluginsmanifest.

Here are some idea.

1. Remove the version number in plugin.json, since it will not be updated here.
2. Add JsonDeserilization in PluginManager like what has done in Updater.cs.
3. Only add the project url in pluginmanifest instead of the direct downloadurl.

I think we can follow the way Updater.cs checking the newest update for Flow to automatically get the newest update for plugins instead of storing the direct download link in plugin.json.
This can avoid updating pluginsmanifest every time plugins update. Or checking the update is also part of the review process?

hmm the reason i included version is so we dont have a scenario where malicious actor creates a plugin, gets approved, then uploads another zip file, and our code just looks for the latest and updates user's plugin to the malicious new release. At lease we can say on the day of our approval, we approved this version as at this date, any subsequent uploads to the same version we will not be able to be responsible. If we just approve the plugin once, subsequent uploads we won't know about.

What do you think?

from flow.launcher.pluginsmanifest.

Only add the project url in pluginmanifest instead of the direct downloadurl.

Project url/website, code url and direct download url are separated in the case where people may decide to have a website for the plugin different to where the code lives, eg GitLab

from flow.launcher.pluginsmanifest.

Only add the project url in pluginmanifest instead of the direct downloadurl.

Project url/website, code url and direct download url are separated in the case where people may decide to have a website for the plugin different to where the code lives, eg GitLab

You are right, but manually pr every update may be quite significant works when Plugins become more... Maybe we can provide different way of doing that. By providing direct url, we won't support auto update, while we can support auto update for github or gitlab.

from flow.launcher.pluginsmanifest.

Maybe we can use CI to automatically check for new update, and update the file.

from flow.launcher.pluginsmanifest.