Infisical CLI version resolution: fallback when asset is missing +semver: minor

[guibranco]

🔍 Infisical CLI version resolution: fallback when asset is missing

Problem

Some Infisical CLI releases are published without the expected platform asset (e.g. cli_0.43.66_linux_amd64.tar.gz). The previous implementation selected the first metadata-valid release (non-draft, non-prerelease, no -postgres suffix) but did not verify that the actual download asset was present in that release. This caused the workflow to fail at the download step with:

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
❌ Failed to download or extract Infisical CLI

Solution

Updated the Get latest valid Infisical CLI version step to iterate through candidate releases in order and verify that the expected asset (cli_<version>_linux_amd64.tar.gz) is present in each release's assets array before selecting it. The first release that satisfies both the metadata criteria and has the asset available is used.

This validation is done entirely against the already-fetched API response — no extra HTTP requests are made per release, so there is no performance impact in the happy path.

Changes

• Replaced single jq + head -n1 selection with an iteration loop over all candidate releases
• Added asset presence check via jq on the assets[] array of each release
• Releases missing the expected asset emit a ⚠️ skipping log line for observability
• Failure message now lists available releases to aid debugging, consistent with prior behavior
• Extracted architecture string into an ARCH variable for clarity
• All original comments preserved; updated criterion list to document the new asset check ([Penify]: Setting up Automated AI-Driven Documentation for GitHub! #5)

Example log output (skipping a bad release)

🔍 Fetching latest valid Infisical CLI version...
⚠️  Release v0.43.66 does not have asset cli_0.43.66_linux_amd64.tar.gz, skipping...
✅ Found release v0.43.65 with asset cli_0.43.65_linux_amd64.tar.gz
🔍 Found valid CLI version: 0.43.65 (tag: v0.43.65)

Type of change

• Bug fix (resolves intermittent workflow failures on incomplete releases)
• New feature
• Breaking change
• Documentation update

Summary by Sourcery

Ensure the GitHub Action selects an Infisical CLI release that actually includes the expected Linux AMD64 asset before proceeding.

Bug Fixes:

• Prevent workflow failures by skipping Infisical CLI releases that are missing the expected linux_amd64 tarball asset.

Enhancements:

• Iterate over candidate releases with logging to choose the first valid tag that includes the required asset and expose selected version/tag via updated variables for clarity.

[sourcery-ai]

Reviewer's Guide

Updates the Infisical GitHub Action’s CLI version resolution logic to iterate through candidate releases and ensure the expected architecture-specific asset exists before selecting a version, improving robustness and logging when releases are missing assets.

Flow diagram for updated Infisical CLI version resolution logic

flowchart TD
  Start([Start version resolution]) --> FetchJSON
  FetchJSON["Fetch releases JSON from GitHub API"] --> CheckFetch
  CheckFetch{Fetch successful?} -->|No| FailFetch
  CheckFetch -->|Yes| InitVars

  FailFetch["Mark FETCH_FAILED=true and exit with error"]

  InitVars["Set ARCH=linux_amd64, FOUND_VERSION=""", FOUND_TAG=""""] --> ListCandidates

  ListCandidates["List candidate tag_names with jq (non-draft, non-prerelease, startswith v, no -postgres)"] --> ForEachTag

  ForEachTag["Iterate over each TAG_NAME"] --> ExtractVersion
  ExtractVersion["Derive VERSION by stripping v prefix from TAG_NAME"] --> BuildAsset
  BuildAsset["Build ASSET=cli_${VERSION}_${ARCH}.tar.gz"] --> CheckAsset

  CheckAsset["Use jq to check if release with TAG_NAME has ASSET in assets[]"] --> HasAsset

  HasAsset{Asset present?} -->|Yes| SelectRelease
  HasAsset -->|No| SkipRelease

  SkipRelease["Log warning: Release TAG_NAME does not have ASSET, skipping"] --> NextTag
  NextTag["Next TAG_NAME from candidate list"] --> ForEachTag

  SelectRelease["Log success, set FOUND_VERSION=VERSION and FOUND_TAG=TAG_NAME"] --> DoneLoop

  DoneLoop["Loop ends (either break on success or candidates exhausted)"] --> CheckFound

  CheckFound{FOUND_VERSION and FOUND_TAG set?} -->|No| FailNoValid
  CheckFound -->|Yes| Success

  FailNoValid["Log error: No valid Infisical CLI release found with the expected asset; list available releases; set FETCH_FAILED=true and exit"]

  Success["Log found version and tag; write version and tag_name to GITHUB_OUTPUT; set FETCH_FAILED=false"] --> End

  End([End])

Loading

File-Level Changes

Change	Details	Files
Harden CLI version selection by iterating over candidate releases and verifying the expected asset is present before choosing a version.	Introduce ARCH, FOUND_VERSION, and FOUND_TAG variables to parameterize architecture and track the selected release. Replace single jq selection piped to head -n1 with a while-read loop over tag names that match existing metadata criteria (non-draft, non-prerelease, v-prefixed, not -postgres). For each candidate tag, derive VERSION and ASSET names and use jq to check the release’s assets[] array for the expected cli__.tar.gz asset. On finding a matching asset, set FOUND_VERSION/FOUND_TAG and break the loop; otherwise emit a skip log message indicating the missing asset.	action.yml
Adjust failure handling and outputs to align with the new selection flow and improve observability.	Change the failure condition to check for empty FOUND_VERSION/FOUND_TAG and update the error message to explicitly mention missing expected assets. Retain and reuse existing listing of available releases for debugging when no valid release with the asset is found. Update final success logs and GitHub Action outputs (version and tag_name) to use FOUND_VERSION and FOUND_TAG instead of the prior TAG_NAME/VERSION variables.	action.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepsource-io]

DeepSource Code Review

We reviewed changes in c635b77...0e21962 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Secrets		Mar 27, 2026 2:24p.m.	Review ↗

[penify-dev]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	3, because the changes involve a moderate amount of logic and iteration over releases, which requires careful consideration of edge cases and testing.
🧪 Relevant tests	No
⚡ Possible issues	Possible Bug: The new logic iterates through all releases, which may lead to performance issues if the number of releases is large. Consider implementing a limit or optimization.
🔒 Security concerns	No

[penify-dev]

PR Code Suggestions ✨

Category	Suggestion	Score
Performance	Improve asset validation logic to ensure accurate checks for asset presence Consider using a more explicit check for the presence of the asset to avoid false positives in the asset validation logic. action.yml [86-88] HAS_ASSET=$(echo "$JSON" | jq -r --arg tag "$TAG_NAME" --arg asset "$ASSET" ' -.[] | select(.tag_name == $tag) | .assets[] | select(.name == $asset) | .name +.[] | select(.tag_name == $tag) | .assets | map(select(.name == $asset)) | length > 0 ') Suggestion importance[1-10]: 8 Why: This suggestion improves the asset validation logic by ensuring that the check for asset presence is more explicit, which can help avoid false positives.	8
	Optimize tag name extraction to reduce unnecessary checks Use a more efficient method to extract the tag names by avoiding unnecessary processing of null values. action.yml [102-105] -select(.tag_name | startswith("v")) | -select(.tag_name | contains("-postgres") | not) | -.tag_name | -select(. != null) +select(.tag_name | startswith("v") and contains("-postgres") | not) | +.tag_name Suggestion importance[1-10]: 7 Why: The suggestion optimizes the tag name extraction by reducing unnecessary checks, which can improve performance, but the impact may be minor.	7
Best practice	Handle exit status properly to ensure the script behaves as expected Ensure that the exit status is properly handled after the asset check to avoid unintended script termination. action.yml [109-111] if [[ -z "$FOUND_VERSION" || -z "$FOUND_TAG" ]]; then + echo "❌ No valid Infisical CLI release found with the expected asset" + exit 1 Suggestion importance[1-10]: 6 Why: While the suggestion emphasizes proper exit status handling, the existing code already includes an exit statement, making this suggestion less critical.	6
Maintainability	Initialize variables to prevent potential issues with uninitialized values Ensure that the FOUND_VERSION and FOUND_TAG variables are properly initialized to avoid potential issues if the expected asset is not found. action.yml [71-72] -FOUND_VERSION="" -FOUND_TAG="" +FOUND_VERSION=${FOUND_VERSION:-""} +FOUND_TAG=${FOUND_TAG:-""} Suggestion importance[1-10]: 3 Why: The suggestion to initialize the variables is correct, but the proposed change does not improve the existing initialization, as the variables are already initialized to empty strings.	3

[sourcery-ai]

Hey - I've left some high level feedback:

• The per-release asset check re-parses the full JSON with jq on each iteration; consider restructuring to iterate once over .[] and check both the metadata criteria and assets in a single jq invocation to avoid repeated scans.
• The jq expression uses .assets[] which will error if assets is null or missing on a release; using .assets[]? or a safe fallback would make the asset existence check more robust to incomplete API responses.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The per-release asset check re-parses the full JSON with `jq` on each iteration; consider restructuring to iterate once over `.[]` and check both the metadata criteria and `assets` in a single `jq` invocation to avoid repeated scans.
- The `jq` expression uses `.assets[]` which will error if `assets` is null or missing on a release; using `.assets[]?` or a safe fallback would make the asset existence check more robust to incomplete API responses.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[guibranco]

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

2026-03-27T14:42:02Z INF scanning for exposed secrets...
2:42PM INF 139 commits scanned.
2026-03-27T14:42:02Z INF scan completed in 24ms
2026-03-27T14:42:02Z INF no leaks found