From 70a50b08ea4823fc5d92de6ebd91a21169db1b89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20HOUZ=C3=89?= Date: Mon, 30 Mar 2026 00:59:34 +0200 Subject: [PATCH 1/2] Fix Windows install security warning from Invoke-WebRequest Replace the artifact probe loop (Invoke-WebRequest HEAD requests) with a membership check against the GitHub release asset list already fetched via Invoke-RestMethod. This eliminates Invoke-WebRequest entirely, which was triggering a PowerShell 5.1 IE-parser security warning on every install. - For 'latest': extract $ReleaseAssets from the existing API response at no extra cost. - For a specific version: add an Invoke-RestMethod call to /releases/tags/{tag} to fetch the same asset list. - Replace the HEAD probe loop with a simple -contains membership check. - Improve the error message: show available Windows assets from the release when no compatible binary is found. Fixes #118 --- install.ps1 | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/install.ps1 b/install.ps1 index e28f01b..b8a0630 100644 --- a/install.ps1 +++ b/install.ps1 @@ -109,6 +109,7 @@ if ($Version -eq "latest") { try { $Response = Invoke-RestMethod -Uri $ApiUrl -Headers @{ "Accept" = "application/vnd.github.v3+json" } $Tag = $Response.tag_name + $ReleaseAssets = $Response.assets | ForEach-Object { $_.name } } catch { Write-Output "Install Failed:" Write-Output " Could not determine the latest release from the GitHub API." @@ -118,6 +119,18 @@ if ($Version -eq "latest") { } } else { $Tag = $Version + $ApiUrl = "https://api.github.com/repos/${Repo}/releases/tags/${Tag}" + + try { + $Response = Invoke-RestMethod -Uri $ApiUrl -Headers @{ "Accept" = "application/vnd.github.v3+json" } + $ReleaseAssets = $Response.assets | ForEach-Object { $_.name } + } catch { + Write-Output "Install Failed:" + Write-Output " Could not fetch release ${Tag} from the GitHub API." + Write-Output " URL: $ApiUrl" + Write-Output " $_" + exit 1 + } } # ── Resolve artifact name with automatic x64 fallback ──────────────────────── @@ -127,6 +140,10 @@ if ($Version -eq "latest") { # github-code-search-windows-x64-baseline.exe — compatible with any x86-64 CPU # github-code-search-windows-x64.exe — legacy alias kept for back-compat # github-code-search-windows-arm64.exe — ARM64 +# +# Artifact availability is checked against the GitHub release asset list already +# fetched above — no extra network request needed, and no Invoke-WebRequest +# which triggers a security warning on Windows PowerShell 5.1. $CandidateTargets = @($Target) if ($Target -eq "x64-modern") { @@ -139,22 +156,21 @@ if ($Target -eq "x64-modern") { $Artifact = $null foreach ($Candidate in $CandidateTargets) { $CandidateArtifact = "${BinaryName}-windows-${Candidate}.exe" - $CheckUrl = "https://github.com/${Repo}/releases/download/${Tag}/${CandidateArtifact}" - try { - # -UseBasicParsing is removed in PowerShell 6+ (pwsh); omit it for compat. - $Null = Invoke-WebRequest -Uri $CheckUrl -Method Head -ErrorAction Stop + if ($ReleaseAssets -contains $CandidateArtifact) { $Artifact = $CandidateArtifact $Target = $Candidate break - } catch { - Write-Output " Variant windows-${Candidate} not found in release ${Tag}, trying next..." } } if ($null -eq $Artifact) { + $AvailableWindows = $ReleaseAssets | Where-Object { $_ -like "*windows*" } Write-Output "Install Failed:" Write-Output " No compatible Windows binary found for ${Tag}." Write-Output " Tried: $($CandidateTargets -join ', ')" + if ($AvailableWindows) { + Write-Output " Available Windows assets: $($AvailableWindows -join ', ')" + } exit 1 } From 47c0dbf30740d824028639d669e8f4105b326ec9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20HOUZ=C3=89?= Date: Mon, 30 Mar 2026 01:04:38 +0200 Subject: [PATCH 2/2] Add curl.exe fallback when GitHub API unreachable for specific version When installing a specific version (-Version v1.x.y) and the GitHub API is blocked or rate-limited, set $ReleaseAssets to $null instead of failing hard, then fall back to probing candidate artifact URLs with 'curl.exe -fsI' (HEAD requests). curl.exe ships with Windows 10 1803+ and is already used for the binary download, so the dependency is not new. This preserves the behaviour of the original script in API-restricted environments while avoiding Invoke-WebRequest (which triggers the PS5.1 security warning). Addresses code-review feedback on PR #122. --- install.ps1 | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/install.ps1 b/install.ps1 index b8a0630..1796a7a 100644 --- a/install.ps1 +++ b/install.ps1 @@ -125,11 +125,11 @@ if ($Version -eq "latest") { $Response = Invoke-RestMethod -Uri $ApiUrl -Headers @{ "Accept" = "application/vnd.github.v3+json" } $ReleaseAssets = $Response.assets | ForEach-Object { $_.name } } catch { - Write-Output "Install Failed:" - Write-Output " Could not fetch release ${Tag} from the GitHub API." - Write-Output " URL: $ApiUrl" - Write-Output " $_" - exit 1 + # GitHub API unreachable (blocked, rate-limited, …) — fall back to probing + # candidate artifacts directly with curl.exe HEAD requests. curl.exe ships + # with Windows 10 1803+ and is already used for the binary download below. + Write-Output " GitHub API unavailable ($ApiUrl); falling back to direct artifact probing..." + $ReleaseAssets = $null } } @@ -144,6 +144,8 @@ if ($Version -eq "latest") { # Artifact availability is checked against the GitHub release asset list already # fetched above — no extra network request needed, and no Invoke-WebRequest # which triggers a security warning on Windows PowerShell 5.1. +# When the API was unreachable ($ReleaseAssets is $null), we fall back to +# probing candidate URLs with curl.exe HEAD requests instead. $CandidateTargets = @($Target) if ($Target -eq "x64-modern") { @@ -156,7 +158,16 @@ if ($Target -eq "x64-modern") { $Artifact = $null foreach ($Candidate in $CandidateTargets) { $CandidateArtifact = "${BinaryName}-windows-${Candidate}.exe" - if ($ReleaseAssets -contains $CandidateArtifact) { + $Found = $false + if ($null -ne $ReleaseAssets) { + $Found = $ReleaseAssets -contains $CandidateArtifact + } else { + # Fallback: probe via curl.exe HEAD (no Invoke-WebRequest, no PS5.1 warning). + $CheckUrl = "https://github.com/${Repo}/releases/download/${Tag}/${CandidateArtifact}" + $null = curl.exe -fsI $CheckUrl 2>$null + $Found = $LASTEXITCODE -eq 0 + } + if ($Found) { $Artifact = $CandidateArtifact $Target = $Candidate break @@ -164,7 +175,7 @@ foreach ($Candidate in $CandidateTargets) { } if ($null -eq $Artifact) { - $AvailableWindows = $ReleaseAssets | Where-Object { $_ -like "*windows*" } + $AvailableWindows = if ($null -ne $ReleaseAssets) { $ReleaseAssets | Where-Object { $_ -like "*windows*" } } else { @() } Write-Output "Install Failed:" Write-Output " No compatible Windows binary found for ${Tag}." Write-Output " Tried: $($CandidateTargets -join ', ')"