Add self-updater for CLI binary (#274)

* Add self-updater for CLI binary

- Two-phase update: check manifest, apply on next run
- Verify archive checksum before replacing binary
- Skip in CI and dev builds, add config opt-out
- Bump version to 2.0.45

* Fix archive download URL to include /build/ path segment

The CDN serves archives under /build/, but the URL was constructed
without it, causing 404 errors during self-update downloads.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix DeepSource review issues in self-updater

- Handle os.UserHomeDir() error to prevent state file in relative paths
- Restrict config dir permissions from 0o755 to 0o750
- Limit download size with io.LimitReader (50MB cap)
- Replace unused parameter `r` with `_` in test handler
- Refactor replaceBinary into testable replaceBinaryAt function
- Rewrite tests to call actual functions instead of reimplementing logic

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix remaining DeepSource issues: test logic and coverage gaps

- Rewrite TestCheckForUpdate_AlreadyUpToDate to call CheckForUpdate
  with a mock HTTP server instead of reimplementing logic
- Add tests for FetchManifest, downloadFile, and error paths
  (HTTP errors, network errors, checksum mismatch, missing platform,
  nil build info, zip archive path)
- Add parseSemver test cases for invalid minor/patch and pre-release
- Add ClearBuildInfo helper for test setup
- Update package coverage from 47.5% to ~80%

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Sourya Vatsyayan <sourya@deepsource.io>
Co-authored-by: Sourya Vatsyayan <sourya@deepsource.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

VERSION

@@ -1 +1 @@
-2.0.43
+2.0.45

buildinfo/version.go

@@ -9,8 +9,9 @@ var buildInfo *BuildInfo
 
 // App identity variables. Defaults are prod values; overridden in main.go for dev builds.
 var (
-	AppName       = "deepsource"  // binary name / display name
-	ConfigDirName = ".deepsource" // ~/<this>/
+	AppName       = "deepsource"              // binary name / display name
+	ConfigDirName = ".deepsource"             // ~/<this>/
+	BaseURL       = "https://cli.deepsource.com" // CDN base for manifest and archives
 )
 
 // BuildInfo describes the compile time information.
@@ -37,6 +38,10 @@ func GetBuildInfo() *BuildInfo {
 	return buildInfo
 }
 
+func ClearBuildInfo() {
+	buildInfo = nil
+}
+
 func (bi BuildInfo) String() string {
 	s := fmt.Sprintf("Version:    v%s", bi.Version)
 	if bi.BuildMode == "dev" && !bi.Date.IsZero() {

cmd/deepsource/main.go

@@ -4,14 +4,17 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"net/http"
 	"os"
 	"strings"
 	"time"
 
 	v "github.com/deepsourcelabs/cli/buildinfo"
 	"github.com/deepsourcelabs/cli/command"
 	"github.com/deepsourcelabs/cli/internal/cli/style"
+	"github.com/deepsourcelabs/cli/internal/debug"
 	clierrors "github.com/deepsourcelabs/cli/internal/errors"
+	"github.com/deepsourcelabs/cli/internal/update"
 	"github.com/getsentry/sentry-go"
 )
 
@@ -40,6 +43,7 @@ func mainRun() (exitCode int) {
 	if buildMode == "dev" {
 		v.AppName = "deepsource-dev"
 		v.ConfigDirName = ".deepsource-dev"
+		v.BaseURL = "https://cli.deepsource.one"
 	}
 
 	// Init sentry
@@ -67,6 +71,32 @@ func mainRun() (exitCode int) {
 func run() int {
 	v.SetBuildInfo(version, Date, buildMode)
 
+	// Two-phase auto-update: apply pending update or check for new one
+	if update.ShouldAutoUpdate() {
+		state, err := update.ReadUpdateState()
+		if err != nil {
+			debug.Log("update: %v", err)
+		}
+
+		if state != nil {
+			// Phase 2: a previous run found a newer version — apply it now
+			client := &http.Client{Timeout: 30 * time.Second}
+			newVer, err := update.ApplyUpdate(client)
+			if err != nil {
+				debug.Log("update: %v", err)
+			} else if newVer != "" {
+				fmt.Fprintf(os.Stderr, "%s\n", style.Yellow("Updated DeepSource CLI to v%s", newVer))
+			}
+		} else {
+			// Phase 1: check manifest and write state file for next run
+			client := &http.Client{Timeout: 3 * time.Second}
+			if err := update.CheckForUpdate(client); err != nil {
+				debug.Log("update: %v", err)
+			}
+		}
+	}
+
+	exitCode := 0
 	if err := command.Execute(); err != nil {
 		var cliErr *clierrors.CLIError
 		if errors.As(err, &cliErr) {
@@ -78,7 +108,8 @@ func run() int {
 			sentry.CaptureException(err)
 		}
 		sentry.Flush(2 * time.Second)
-		return 1
+		exitCode = 1
 	}
-	return 0
+
+	return exitCode
 }

config/config.go

@@ -16,6 +16,7 @@ type CLIConfig struct {
 	User           string    `toml:"user"`
 	Token          string    `toml:"token"`
 	TokenExpiresIn time.Time `toml:"token_expires_in,omitempty"`
+	AutoUpdate     *bool     `toml:"auto_update,omitempty"`
 	SkipTLSVerify  bool      `toml:"skip_tls_verify,omitempty"`
 	TokenFromEnv   bool      `toml:"-"`
 }

internal/update/manifest.go

@@ -0,0 +1,53 @@
+package update
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"runtime"
+
+	"github.com/deepsourcelabs/cli/buildinfo"
+)
+
+// Manifest represents the CLI release manifest served by the CDN.
+type Manifest struct {
+	Version   string                  `json:"version"`
+	BuildTime string                  `json:"buildTime"`
+	Platforms map[string]PlatformInfo `json:"platforms"`
+}
+
+// PlatformInfo holds the archive filename and checksum for a platform.
+type PlatformInfo struct {
+	Archive string `json:"archive"`
+	SHA256  string `json:"sha256"`
+}
+
+// FetchManifest downloads and parses the release manifest.
+func FetchManifest(client *http.Client) (*Manifest, error) {
+	resp, err := client.Get(buildinfo.BaseURL + "/manifest.json")
+	if err != nil {
+		return nil, fmt.Errorf("fetching manifest: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("manifest returned HTTP %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("reading manifest body: %w", err)
+	}
+
+	var m Manifest
+	if err := json.Unmarshal(body, &m); err != nil {
+		return nil, fmt.Errorf("parsing manifest JSON: %w", err)
+	}
+	return &m, nil
+}
+
+// PlatformKey returns the manifest key for the current OS/arch.
+func PlatformKey() string {
+	return runtime.GOOS + "_" + runtime.GOARCH
+}