fix(scripts): resolve release artifacts from fork

[def324]

Summary

Make Lumen launcher release downloads work from fork checkouts and keep fork workflow runs away from upstream-only publishing paths.

• Resolve release artifacts from LUMEN_RELEASE_REPO, then a valid GitHub origin remote, then ory/lumen.
• Validate owner/repo values before constructing GitHub release URLs.
• Remove hardcoded GoReleaser release repository metadata so release artifacts attach to the repository running the workflow.
• Gate Coveralls and release publishing paths to avoid requiring upstream-only credentials from fork contexts.
• Add Unix and Windows launcher coverage for fork-derived release URLs and invalid-origin fallback behavior.

Test Plan

• bash scripts/test_run.sh
• bash scripts/test_run_cmd.sh
• actionlint -shellcheck=
• git diff --cached --check

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD pipeline security with repository guards to prevent unauthorized workflow execution.
  • Improved release process with validation checks and atomic binary downloads.
  • Added support for custom release repositories via LUMEN_RELEASE_REPO environment variable; scripts now automatically derive release location from local Git configuration with fallback to default.
  • Expanded test coverage for release repository resolution across multiple scenarios.

[coderabbitai]

Warning

Rate limit exceeded

@def324 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 32 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 01a41cb1-b398-45b6-88af-1175777506dd

📥 Commits

Reviewing files that changed from the base of the PR and between 25b42ca and bfe7225.

📒 Files selected for processing (4)

• scripts/run.bat
• scripts/run.sh
• scripts/test_run.sh
• scripts/test_run_windows.ps1

📝 Walkthrough

Walkthrough

This PR implements dynamic release repository resolution for the Lumen plugin, allowing it to download binaries from a configurable or auto-detected GitHub repository instead of the hardcoded ory/lumen. The changes include helper functions to parse and validate Git remote URLs, updated binary download/installation flows, workflow guards to prevent unintended releases from forks, and comprehensive tests for the new resolution logic.

Changes

Dynamic Release Repository Resolution

Layer / File(s)	Summary
Core Implementation scripts/run.sh	Added three helper functions: release_repo_from_remote_url() parses Git remote URLs (HTTPS, SSH, ssh://) into owner/repo format; valid_release_repo() validates owner/name character constraints; resolve_release_repo() selects the release repo from LUMEN_RELEASE_REPO (validated), or derives it from the plugin root's git origin remote (validated), falling back to ory/lumen.
Binary Download & Installation scripts/run.bat, scripts/run.sh	Windows script (run.bat) now uses a temporary file (%TMP_BINARY%) for downloads instead of direct installation; both scripts apply the resolved repository to construct GitHub release download URLs. Unix script exports LUMEN_PLUGIN_ROOT for downstream use.
Release & Build Configuration .github/workflows/ci.yml, .github/workflows/release-please.yml, .goreleaser.yml	CI Coveralls upload step is gated to ory/lumen only. Release-please, release, and npm-publish jobs are guarded by repository checks and release creation flags to prevent accidental releases from forks. GoReleaser configuration adds checksum.name_template and removes hardcoded GitHub repository owner/name fields.
Testing scripts/test_run.sh, scripts/test_run_windows.ps1	Unix test suite adds offline tests for release-repo resolution from various Git URL formats, and extends stdio integration tests to verify that run.sh derives or uses the expected repository via curl URL logging. Windows test suite refactors into a parameterized Invoke-RunBatScenario function covering environment override, origin-derived repos, and invalid-origin fallback cases; curl stub now logs invocation arguments for URL verification.

Sequence Diagram(s)

No sequence diagram generated. The changes are primarily configuration updates, helper function additions, and test enhancements without significant new control flow across 3+ distinct components.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: enabling Lumen launchers to resolve release artifacts from fork repositories rather than just the upstream.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

scripts/test_run_windows.ps1 (1)

183-212: ⚡ Quick win

Add a Windows SSH-origin scenario.

run.bat handles git@github.com: and ssh://git@github.com/, but this suite only exercises the HTTPS origin form. Adding at least one SSH-origin case here would keep the Windows coverage aligned with scripts/test_run.sh and with the launcher behavior this PR added. As per coding guidelines, "Keep .claude-plugin/, .codex/, .cursor-plugin/, .cursor/, .opencode/, hooks/, skills/, scripts/, and package.json aligned where they represent the same Lumen distribution".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/test_run_windows.ps1` around lines 183 - 212, Add a Windows
SSH-origin scenario by invoking Invoke-RunBatScenario with an SSH-style
OriginUrl (e.g., 'git@github.com:def324/lumen.git' or
'ssh://git@github.com/def324/lumen.git'), set ExpectedRepo to 'def324/lumen' and
provide a descriptive PassMessage (e.g., 'run.bat stdio derives first-install
download repo from SSH origin'); place this new Invoke-RunBatScenario alongside
the other cases so run.bat's SSH-origin handling is exercised on Windows,
matching the coverage in scripts/test_run.sh.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/run.bat`:
- Around line 28-48: The current validation for LUMEN_RELEASE_REPO allows values
like "def324/lumen.git" which later build a broken URL; update the check in the
run.bat block that handles LUMEN_RELEASE_REPO (variables REPO and REPO_OWNER) to
either reject inputs ending with ".git" or normalize by stripping a trailing
".git" from REPO before further validation and URL construction; implement this
by trimming ".git" from the REPO value (or adding an explicit error message)
immediately after setting REPO and before the regex/owner extraction so
subsequent checks (REPO_OWNER, length and dash checks) and any download URL use
the sanitized repo name.
- Line 30: The echo(!REPO!| findstr ... and echo(!CANDIDATE!| findstr ... usages
expand unquoted environment variables into the cmd pipeline and allow
metacharacter injection; replace these checks by performing the regex validation
in PowerShell (e.g., use the -match operator against $env:REPO/$env:CANDIDATE
and exit non‑zero on failure) or, if you must stay in batch, disable delayed
expansion and defensively escape/quote the variable contents before piping (or
sanitize by removing/escaping &,|,>,<,^) so that REPO and CANDIDATE are treated
as data rather than parsed commands. Ensure the change targets the validation
logic that references REPO and CANDIDATE so no unquoted expansions are piped
into findstr.

In `@scripts/run.sh`:
- Around line 27-39: The valid_release_repo function currently allows repo names
ending with .git; update it to either normalize by stripping a trailing ".git"
from the input before parsing (e.g., trim suffix from the argument inside
valid_release_repo) or change the name validation to reject names that end with
".git"; adjust the owner/name extraction (owner="${repo%%/*}" and
name="${repo#*/}") to operate on the normalized value and re-run the existing
regex checks (owner and name) against the cleaned name so LUMEN_RELEASE_REPO
values like "def324/lumen.git" become "def324/lumen" or are rejected outright.

---

Nitpick comments:
In `@scripts/test_run_windows.ps1`:
- Around line 183-212: Add a Windows SSH-origin scenario by invoking
Invoke-RunBatScenario with an SSH-style OriginUrl (e.g.,
'git@github.com:def324/lumen.git' or 'ssh://git@github.com/def324/lumen.git'),
set ExpectedRepo to 'def324/lumen' and provide a descriptive PassMessage (e.g.,
'run.bat stdio derives first-install download repo from SSH origin'); place this
new Invoke-RunBatScenario alongside the other cases so run.bat's SSH-origin
handling is exercised on Windows, matching the coverage in scripts/test_run.sh.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: fc855928-cc85-4305-aa8a-14451465c64c

📥 Commits

Reviewing files that changed from the base of the PR and between 5206287 and 25b42ca.

📒 Files selected for processing (7)

• .github/workflows/ci.yml
• .github/workflows/release-please.yml
• .goreleaser.yml
• scripts/run.bat
• scripts/run.sh
• scripts/test_run.sh
• scripts/test_run_windows.ps1

💤 Files with no reviewable changes (1)

• .goreleaser.yml