HorlogeSkynet/update_gitea.sh

## update_gitea.sh
#!/usr/bin/env bash

#
# @HorlogeSkynet's Gitea automatic updating script for GNU/Linux.
#
# Version : v3.0.2
# URL : <https://gist.github.com/HorlogeSkynet/d676b9204869842933169dbe35ed8650>
#
# /!\ A proper Gitea server managed by a systemd service is required /!\
# --> Maintainer one : <https://gist.github.com/HorlogeSkynet/81a3a4ff2ea342dc3a77dc038cbc0e35>
#
# /!\ Expect previous version to be backup-ed as "${INSTALL_TARGET}.~" /!\
#
# Required packages :
#  * wget
#  * gnupg2
#  * xz-utils
#  * jq (only for automatic updates)
#
# Installation instructions :
#  0. Make sure required packages are correctly installed
#  1. Copy this script somewhere on your system as 'update_gitea.sh'
#  2. Set it executable with 'chmod +x update_gitea.sh'
#  3. Set (and verify) below constants to fit your Gitea setup
#  4. Enjoy !
#

set -euo pipefail

### BEGIN CONSTANTS ###

# Leave this field empty to automatically install latest "stable" release.
VERSION=""
PLATFORM="linux"
ARCH="amd64"
INSTALL_TARGET="/usr/local/bin/gitea"
SYSTEMD_SERVICE="gitea.service"
GITHUB_URL="https://api.github.com/repos/go-gitea/gitea/releases/latest"

# You really should not trust anyone with the next values below.
# Please verify it on : <https://docs.gitea.io/en-us/install-from-binary/#verify-gpg-signature>
TRUSTED_GPG_SERVER="keys.openpgp.org"
TRUSTED_KEY_HASH="0x7C9E68152594688862D62AF62D9AE806EC1592E2"

### END CONSTANTS ###

### BEGIN MACROS ###

# Adapted from <https://www.jwdev.com/2020/01/27/native-bash-semver-check/>
function semver_check {
	high_version=$(echo -e "$1\\n$2" | LC_ALL=C sort -V | tail -1)
	[[ "$1" != "$2" && "$1" != "$high_version" ]] && echo -1 && return
	[[ "$1" == "$2" ]]; echo $?
}

function log_success {
	echo -e "\\033[32mOK\\033[0m."
}

function log_error {
	>&2 echo -e "\\033[31m${1:-Failed}\\033[0m."
}

### END MACROS ###

trap 'test -z "$TMPDIR" || rm -rf "$TMPDIR"' EXIT
TMPDIR="$(mktemp -d)"
pushd "$TMPDIR" > /dev/null || exit 1

# If `VERSION` has been left empty, fetch latest tag from GitHub.
if [ -z "$VERSION" ]; then
	echo -n "Now fetching current Gitea version : "
	CURRENT_VERSION="$(${INSTALL_TARGET} --version | cut -d ' ' -f 3 || true)"
	echo "${CURRENT_VERSION:-None}"

	echo -n "Now fetching latest release from GitHub API : "
	VERSION="$(wget -qO- --header 'Accept: application/vnd.github.v3+json' "$GITHUB_URL" | jq -r '.tag_name' || true)"
	if [ -z "$VERSION" ]; then
		log_error "HTTP request failed"
		exit 1
	fi
	# Strips any leading 'v' character.
	if [ "${VERSION:0:1}" == 'v' ]; then
		VERSION="${VERSION:1}"
	fi
	echo "$VERSION"

	# Error is human : check that "latest" published version is really superior.
	if [ -n "$CURRENT_VERSION" -a "$(semver_check "$VERSION" "$CURRENT_VERSION")" -le 0 ]; then
		# Stop here if already up to date (or even more recent to prevent database corruption).
		exit 0
	fi
fi

# DRY.
binary_name="gitea-${VERSION}-${PLATFORM}-${ARCH}"
base_name="${binary_name}.xz"

echo -n "Now retrieving compressed binary, as long as its SHA256 checksum and GPG signature : "
wget -q "https://dl.gitea.io/gitea/${VERSION}/${base_name}"{,.sha256,.asc} || \
	wget -q "https://dl.gitea.io/gitea/v${VERSION}/${base_name}"{,.sha256,.asc}
log_success

echo -n "Now verifying the program checksum : "
if ! sha256sum --quiet -c "${base_name}.sha256" 2> /dev/null; then
	log_error "Invalid checksum"
	exit 1
fi
log_success

# Ensure that the GPG public key of Teabot is present within the local keyring.
if ! gpg --list-keys $TRUSTED_KEY_HASH > /dev/null 2>&1; then
	echo -n "Now retrieving GPG public identities of Teabot : "
	if ! gpg --keyserver $TRUSTED_GPG_SERVER --recv $TRUSTED_KEY_HASH > /dev/null; then
		# GPG would throw errors (if any) over here.
		exit 1
	fi
	log_success
fi

echo -n "Now verifying the GPG signature of the program : "
if ! gpg --verify "${base_name}.asc" "$base_name" 2> /dev/null; then
	log_error "Invalid signature"
	exit 1
fi
log_success

echo -n "Now decompressing binary : "
if ! xz --decompress --force "${base_name}"; then
	# xz would throw errors (if any) over here.
	exit 1
fi
log_success

echo -n "Now stopping Gitea : "
if ! systemctl stop "$SYSTEMD_SERVICE"; then
	log_error
	exit 1
fi
log_success

echo -n "Now installing and preparing new binary : "
chmod +x "$binary_name"
mv --backup --force "$binary_name" "$INSTALL_TARGET"
log_success

echo -n "Now starting again Gitea : "
if ! systemctl start "$SYSTEMD_SERVICE"; then
	log_error
	exit 1
fi
log_success

echo -n "Now cleaning up : "
if ! rm "$base_name"* 2> /dev/null; then
	log_error
	exit 1
fi
log_success

popd > /dev/null || exit 1
	#!/usr/bin/env bash

	#
	# @HorlogeSkynet's Gitea automatic updating script for GNU/Linux.
	#
	# Version : v3.0.2
	# URL : <https://gist.github.com/HorlogeSkynet/d676b9204869842933169dbe35ed8650>
	#
	# /!\ A proper Gitea server managed by a systemd service is required /!\
	# --> Maintainer one : <https://gist.github.com/HorlogeSkynet/81a3a4ff2ea342dc3a77dc038cbc0e35>
	#
	# /!\ Expect previous version to be backup-ed as "${INSTALL_TARGET}.~" /!\
	#
	# Required packages :
	# * wget
	# * gnupg2
	# * xz-utils
	# * jq (only for automatic updates)
	#
	# Installation instructions :
	# 0. Make sure required packages are correctly installed
	# 1. Copy this script somewhere on your system as 'update_gitea.sh'
	# 2. Set it executable with 'chmod +x update_gitea.sh'
	# 3. Set (and verify) below constants to fit your Gitea setup
	# 4. Enjoy !
	#

	set -euo pipefail

	### BEGIN CONSTANTS ###

	# Leave this field empty to automatically install latest "stable" release.
	VERSION=""
	PLATFORM="linux"
	ARCH="amd64"
	INSTALL_TARGET="/usr/local/bin/gitea"
	SYSTEMD_SERVICE="gitea.service"
	GITHUB_URL="https://api.github.com/repos/go-gitea/gitea/releases/latest"

	# You really should not trust anyone with the next values below.
	# Please verify it on : <https://docs.gitea.io/en-us/install-from-binary/#verify-gpg-signature>
	TRUSTED_GPG_SERVER="keys.openpgp.org"
	TRUSTED_KEY_HASH="0x7C9E68152594688862D62AF62D9AE806EC1592E2"

	### END CONSTANTS ###

	### BEGIN MACROS ###

	# Adapted from <https://www.jwdev.com/2020/01/27/native-bash-semver-check/>
	function semver_check {
	high_version=$(echo -e "$1\\n$2" \| LC_ALL=C sort -V \| tail -1)
	[[ "$1" != "$2" && "$1" != "$high_version" ]] && echo -1 && return
	[[ "$1" == "$2" ]]; echo $?
	}

	function log_success {
	echo -e "\\033[32mOK\\033[0m."
	}

	function log_error {
	>&2 echo -e "\\033[31m${1:-Failed}\\033[0m."
	}

	### END MACROS ###

	trap 'test -z "$TMPDIR" \|\| rm -rf "$TMPDIR"' EXIT
	TMPDIR="$(mktemp -d)"
	pushd "$TMPDIR" > /dev/null \|\| exit 1

	# If `VERSION` has been left empty, fetch latest tag from GitHub.
	if [ -z "$VERSION" ]; then
	echo -n "Now fetching current Gitea version : "
	CURRENT_VERSION="$(${INSTALL_TARGET} --version \| cut -d ' ' -f 3 \|\| true)"
	echo "${CURRENT_VERSION:-None}"

	echo -n "Now fetching latest release from GitHub API : "
	VERSION="$(wget -qO- --header 'Accept: application/vnd.github.v3+json' "$GITHUB_URL" \| jq -r '.tag_name' \|\| true)"
	if [ -z "$VERSION" ]; then
	log_error "HTTP request failed"
	exit 1
	fi
	# Strips any leading 'v' character.
	if [ "${VERSION:0:1}" == 'v' ]; then
	VERSION="${VERSION:1}"
	fi
	echo "$VERSION"

	# Error is human : check that "latest" published version is really superior.
	if [ -n "$CURRENT_VERSION" -a "$(semver_check "$VERSION" "$CURRENT_VERSION")" -le 0 ]; then
	# Stop here if already up to date (or even more recent to prevent database corruption).
	exit 0
	fi
	fi

	# DRY.
	binary_name="gitea-${VERSION}-${PLATFORM}-${ARCH}"
	base_name="${binary_name}.xz"

	echo -n "Now retrieving compressed binary, as long as its SHA256 checksum and GPG signature : "
	wget -q "https://dl.gitea.io/gitea/${VERSION}/${base_name}"{,.sha256,.asc} \|\| \
	wget -q "https://dl.gitea.io/gitea/v${VERSION}/${base_name}"{,.sha256,.asc}
	log_success

	echo -n "Now verifying the program checksum : "
	if ! sha256sum --quiet -c "${base_name}.sha256" 2> /dev/null; then
	log_error "Invalid checksum"
	exit 1
	fi
	log_success

	# Ensure that the GPG public key of Teabot is present within the local keyring.
	if ! gpg --list-keys $TRUSTED_KEY_HASH > /dev/null 2>&1; then
	echo -n "Now retrieving GPG public identities of Teabot : "
	if ! gpg --keyserver $TRUSTED_GPG_SERVER --recv $TRUSTED_KEY_HASH > /dev/null; then
	# GPG would throw errors (if any) over here.
	exit 1
	fi
	log_success
	fi

	echo -n "Now verifying the GPG signature of the program : "
	if ! gpg --verify "${base_name}.asc" "$base_name" 2> /dev/null; then
	log_error "Invalid signature"
	exit 1
	fi
	log_success

	echo -n "Now decompressing binary : "
	if ! xz --decompress --force "${base_name}"; then
	# xz would throw errors (if any) over here.
	exit 1
	fi
	log_success

	echo -n "Now stopping Gitea : "
	if ! systemctl stop "$SYSTEMD_SERVICE"; then
	log_error
	exit 1
	fi
	log_success

	echo -n "Now installing and preparing new binary : "
	chmod +x "$binary_name"
	mv --backup --force "$binary_name" "$INSTALL_TARGET"
	log_success

	echo -n "Now starting again Gitea : "
	if ! systemctl start "$SYSTEMD_SERVICE"; then
	log_error
	exit 1
	fi
	log_success

	echo -n "Now cleaning up : "
	if ! rm "$base_name"* 2> /dev/null; then
	log_error
	exit 1
	fi
	log_success

	popd > /dev/null \|\| exit 1