Skip to content

Fix setup-atmos Windows installs#111

Merged
Erik Osterman (Cloud Posse) (osterman) merged 8 commits into
mainfrom
osterman/fix-setup-atmos-windows-ci
Jul 3, 2026
Merged

Fix setup-atmos Windows installs#111
Erik Osterman (Cloud Posse) (osterman) merged 8 commits into
mainfrom
osterman/fix-setup-atmos-windows-ci

Conversation

@osterman

Copy link
Copy Markdown
Member

what

  • Fix release asset parsing for Windows .exe assets and install runnable atmos.exe/wrapper shims across OSes.
  • Add checksum validation input defaulting to warn, 80% coverage enforcement, expanded Jest tests, and OS/mode CI matrix.
  • Rebuild committed dist/ artifacts.

why

  • Windows runners need atmos immediately after setup for wrapper and no-wrapper modes.
  • Checksum validation catches corrupted downloads while preserving current behavior when checksums are missing.

references

  • Validation: npm run format:check, npm run lint:check, npm run test:coverage -- --runInBand, npm run clean && npm run build && npm run build:wrapper.

@osterman

Copy link
Copy Markdown
Member Author

CodeRabbit (@coderabbitai) full review

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0199a59c-5514-491e-8412-017b51e20218

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • ✅ Review completed - (🔄 Check again to review again)
📝 Walkthrough

Walkthrough

This PR adds SHA256 checksum validation to the atmos installer (with warn/enforce/skip modes), refactors the wrapper entrypoint into an exported runWrapper function, updates install/cache logic, adjusts CI workflows and removes validate-codeowners, updates docs/config, and substantially expands unit tests.

Changes

Checksum Validation and Installer Feature

Layer / File(s) Summary
Checksum types and contracts
src/interfaces.ts
Adds ChecksumValidationMode type and optional checksumsUrl field on IAtmosVersionInfo.
Installer checksum utilities
src/installer.ts
Adds crypto import, checksum constants, asset filename parsing, mode parsing/validation, expected-digest extraction, and verification logic; includes checksumsUrl in version resolution.
Install/cache flow updates
src/installer.ts
Updates installAtmosVersion/getAtmos to accept checksumValidation, wires pre-install checksum checks, reworks tool-cache naming/PATH configuration, updates Windows/non-Windows wrapper installation.
Action input and entrypoint wiring
action.yml, src/main.ts
Adds checksum-validation input, updates runtime to node24, parses input in run and passes it through, changes failure handling to core.setFailed.
Wrapper entrypoint refactor and tests
src/wrapper.ts, src/__tests__/wrapper.test.ts
Introduces exported runWrapper(pathToCLI) guarded by require.main, with new tests for success, exit codes, and lookup failure.
Installer and setup-atmos tests
src/__tests__/setup-atmos.test.ts
Reworks tests using mocked octokit/actions/tool-cache covering asset parsing, checksum verification, install-path behavior, cache naming, run() wiring, and system helpers.
Docs and build config
README.yaml, jest.config.js, package.json
Updates description/checksum docs, adds Jest coverage thresholds, adds test:coverage script.

CI Workflow Restructuring

Layer / File(s) Summary
Build/integration job restructuring
.github/workflows/main.yml, .github/workflows/validate-codeowners.yml
Switches build to check/coverage scripts, removes explicit checkout ref, adds matrix-based integration job, keeps tagger job after integration, removes validate-codeowners workflow.

Estimated code review effort: 4 (Complex) | ~60 minutes

Related PRs: None identified in the provided information.

Suggested reviewers: None specified.

Poem:

A rabbit checks each hash with care,
warn, enforce, or skip — beware!
The wrapper runs its guarded way,
CI jobs matrix out today.
Coverage climbs to eighty-plus,
this bunny hops without a fuss. 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately highlights the main change: fixing Windows installs for setup-atmos.
Description check ✅ Passed The description is clearly related to the changeset and summarizes the Windows install, checksum, tests, and CI updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch osterman/fix-setup-atmos-windows-ci

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
.github/workflows/main.yml (1)

9-9: 🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Keep the PR-head checkout if this job must validate the contributor’s branchactions/checkout on pull_request uses the merge ref, so fork PRs are linted/tested/built against merged code instead of the head commit.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yml at line 9, The checkout step in the workflow is
using the default pull_request merge ref, so this job may validate merged code
instead of the contributor’s branch. Update the `actions/checkout` usage in the
workflow to explicitly check out the PR head when this job is meant to
lint/test/build the contributor’s changes, and keep the existing workflow/job
structure intact while adjusting the checkout configuration.
src/installer.ts (1)

305-317: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Clean up the downloaded binary when checksum verification fails.

downloadPath is only removed after io.cp; any error from verifyDownloadedTool leaves the downloaded asset behind.

Proposed cleanup
   core.info(`Acquiring ${info.resolvedVersion} from ${info.downloadUrl}`);
   const downloadPath = await tc.downloadTool(info.downloadUrl, undefined, auth);
   const toolPath = path.join(atmosInstallPath, atmosBinName);
 
-  await verifyDownloadedTool(info, downloadPath, auth, checksumValidation);
-
-  core.info("Installing downloaded file...");
-  // Ensure the destination directory exists
-  await io.mkdirP(atmosInstallPath);
-  // Use copy + delete instead of mv/rename to handle cross-device installations
-  // This fixes EXDEV errors in Docker-in-Docker and other containerized environments
-  await io.cp(downloadPath, toolPath);
-  await io.rmRF(downloadPath);
+  try {
+    await verifyDownloadedTool(info, downloadPath, auth, checksumValidation);
+
+    core.info("Installing downloaded file...");
+    await io.mkdirP(atmosInstallPath);
+    await io.cp(downloadPath, toolPath);
+  } finally {
+    await io.rmRF(downloadPath);
+  }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/installer.ts` around lines 305 - 317, The cleanup around the
download/install flow in installer.ts leaves the file returned by
tc.downloadTool behind when verifyDownloadedTool fails. Update the download
handling in the install path near verifyDownloadedTool and io.cp so the
temporary downloadPath is removed on checksum verification errors as well, using
a try/finally or equivalent cleanup around the acquisition/verification block
while preserving the existing copy-and-delete install behavior.
🧹 Nitpick comments (1)
src/wrapper.ts (1)

65-69: 🩺 Stability & Availability | 🔵 Trivial | 💤 Low value

Floating promise on module-level runWrapper() call.

The invocation isn't awaited or has an explicit .catch(). Since runWrapper's internal try/catch always routes failures to core.setFailed, this is unlikely to cause an unhandled rejection in practice, but adding a .catch() would be a small defensive improvement.

🛡️ Optional defensive tweak
 if (require.main === module) {
-  runWrapper();
+  void runWrapper();
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/wrapper.ts` around lines 65 - 69, The module-level runWrapper() call is a
floating promise in the require.main === module branch, so add an explicit
.catch() handler (or equivalent top-level await pattern) to the runWrapper
invocation in src/wrapper.ts. Use the runWrapper function and the module
entrypoint guard as the anchor points, and make the fallback handler minimally
defensive by forwarding any unexpected rejection to core.setFailed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/main.yml:
- Line 48: The checkout step in the workflow is persisting git credentials
unnecessarily. Update the actions/checkout usage in the main job to set
persist-credentials to false so the workflow does not keep push-capable
credentials after checkout. Keep the change scoped to the checkout step and
ensure the job still only checks out code without storing auth.
- Around line 34-47: The new integration job is missing an explicit
least-privilege permissions block, so it currently inherits broad default
GITHUB_TOKEN access. Add a permissions setting on the integration job in
main.yml and scope it down to only what the job needs, such as contents: read,
while keeping the existing matrix and steps intact.
- Around line 56-65: The “Verify outputs are available” step is interpolating
atmos outputs directly into the run script, which creates a template-injection
risk. Move steps.atmos.outputs.stdout, stderr, and exitcode into env variables
on that step instead of embedding them in run, and reference those variables in
the shell command. Also ensure the syntax is cross-shell safe in the workflow,
either by setting shell: bash for the step or by using the appropriate
PowerShell env variable form when running on windows-latest.

In `@README.yaml`:
- Around line 88-92: Correct the typo in the README wording by updating the
phrase in the GitHub action description from “wrapper scipt” to “wrapper
script.” Keep the change limited to the documentation text near the
checksum-validation explanation and the note about capturing stdout, stderr, and
exitcode.

In `@src/__tests__/setup-atmos.test.ts`:
- Around line 249-255: The fs.readFileSync spy in setup-atmos.test.ts is hitting
a TypeScript overload mismatch because the mock callback returns string |
Buffer. Update the mock around jest.spyOn(fs, "readFileSync") to use the
overloaded function type, such as casting the spy to jest.MockedFunction<typeof
fs.readFileSync> or giving mockImplementation an explicit compatible signature,
and apply the same typing approach consistently to all four readFileSync mocks
in this test file.

In `@src/installer.ts`:
- Around line 347-371: The cache lookup in installer.ts can return legacy
wrapper-based atmos entries when installWrapper is false, causing the wrong
shimmed binary to be reused. Update the install flow around getToolCacheName and
tc.find to detect or bypass old namespace/cache entries for the plain binary,
using either a cache-version bump or a content/metadata check before accepting
the cached toolPath, and ensure configureInstalledPath only runs on the correct
binary.

---

Outside diff comments:
In @.github/workflows/main.yml:
- Line 9: The checkout step in the workflow is using the default pull_request
merge ref, so this job may validate merged code instead of the contributor’s
branch. Update the `actions/checkout` usage in the workflow to explicitly check
out the PR head when this job is meant to lint/test/build the contributor’s
changes, and keep the existing workflow/job structure intact while adjusting the
checkout configuration.

In `@src/installer.ts`:
- Around line 305-317: The cleanup around the download/install flow in
installer.ts leaves the file returned by tc.downloadTool behind when
verifyDownloadedTool fails. Update the download handling in the install path
near verifyDownloadedTool and io.cp so the temporary downloadPath is removed on
checksum verification errors as well, using a try/finally or equivalent cleanup
around the acquisition/verification block while preserving the existing
copy-and-delete install behavior.

---

Nitpick comments:
In `@src/wrapper.ts`:
- Around line 65-69: The module-level runWrapper() call is a floating promise in
the require.main === module branch, so add an explicit .catch() handler (or
equivalent top-level await pattern) to the runWrapper invocation in
src/wrapper.ts. Use the runWrapper function and the module entrypoint guard as
the anchor points, and make the fallback handler minimally defensive by
forwarding any unexpected rejection to core.setFailed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b7f61ec2-327c-430b-ac78-45174b0cf411

📥 Commits

Reviewing files that changed from the base of the PR and between 49625d9 and 56ddd17.

⛔ Files ignored due to path filters (5)
  • README.md is excluded by !README.md
  • dist/index.js is excluded by !**/dist/**
  • dist/wrapper/index.js is excluded by !**/dist/**
  • package-lock.json is excluded by !**/package-lock.json
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (12)
  • .github/workflows/main.yml
  • .github/workflows/validate-codeowners.yml
  • README.yaml
  • action.yml
  • jest.config.js
  • package.json
  • src/__tests__/setup-atmos.test.ts
  • src/__tests__/wrapper.test.ts
  • src/installer.ts
  • src/interfaces.ts
  • src/main.ts
  • src/wrapper.ts
💤 Files with no reviewable changes (1)
  • .github/workflows/validate-codeowners.yml

Comment thread .github/workflows/main.yml
Comment thread .github/workflows/main.yml Outdated
Comment thread .github/workflows/main.yml Outdated
Comment thread README.yaml Outdated
Comment thread src/__tests__/setup-atmos.test.ts Outdated
Comment thread src/installer.ts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/test-install.yaml (1)

21-22: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on checkout.

This workflow only checks out the repo to run local actions and doesn't push anything, so the persisted GITHUB_TOKEN credential in git config is unnecessary and widens the attack surface for subsequent steps.

🔒 Proposed fix
       - name: Checkout
         uses: actions/checkout@v7
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-install.yaml around lines 21 - 22, The Checkout step
in the workflow currently leaves the default GITHUB_TOKEN credentials persisted,
which is unnecessary for this read-only job. Update the actions/checkout usage
in the Checkout step to set persist-credentials to false, keeping the checkout
behavior the same while preventing git credential persistence for later steps.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/test-install.yaml:
- Around line 21-22: The Checkout step in the workflow currently leaves the
default GITHUB_TOKEN credentials persisted, which is unnecessary for this
read-only job. Update the actions/checkout usage in the Checkout step to set
persist-credentials to false, keeping the checkout behavior the same while
preventing git credential persistence for later steps.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 73d2e63a-db8e-4287-9622-b57ef2ff58f4

📥 Commits

Reviewing files that changed from the base of the PR and between 56ddd17 and 0300011.

⛔ Files ignored due to path filters (3)
  • README.md is excluded by !README.md
  • dist/index.js is excluded by !**/dist/**
  • dist/wrapper/index.js is excluded by !**/dist/**
📒 Files selected for processing (5)
  • .github/workflows/main.yml
  • .github/workflows/test-install.yaml
  • README.yaml
  • src/__tests__/setup-atmos.test.ts
  • src/installer.ts
✅ Files skipped from review due to trivial changes (1)
  • README.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • .github/workflows/main.yml
  • src/tests/setup-atmos.test.ts

@osterman

Copy link
Copy Markdown
Member Author

CodeRabbit (@coderabbitai) full review

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

@osterman Erik Osterman (Cloud Posse) (osterman) merged commit 591692a into main Jul 3, 2026
18 checks passed
@osterman Erik Osterman (Cloud Posse) (osterman) deleted the osterman/fix-setup-atmos-windows-ci branch July 3, 2026 20:54
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

These changes were released in v3.1.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants