feat: add glean update command for self-updating the CLI

- Detects Homebrew installs and delegates to `brew upgrade`
- Downloads the correct platform archive from GitHub Releases
- Verifies SHA-256 checksum against checksums.txt before applying
- Atomically replaces the running binary via minio/selfupdate
- Suppresses redundant background update notice during `glean update`
- Dev builds are rejected with a clear error message

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

Author: scalvert

cmd/root.go

@@ -52,6 +52,10 @@ func NewCmdRoot() *cobra.Command {
 			_ = verbosity // reserved for future debug logging
 		},
 		PersistentPostRun: func(cmd *cobra.Command, args []string) {
+			// Skip update notice when the user is already running `glean update`.
+			if cmd.Name() == "update" {
+				return
+			}
 			noticeCh := update.CheckAsync(cliVersion)
 			if notice := <-noticeCh; notice != "" {
 				fmt.Fprintf(os.Stderr, "\n%s\n", notice)
@@ -156,6 +160,8 @@ func NewCmdRoot() *cobra.Command {
 	genSkills.Hidden = true
 	cmd.AddCommand(genSkills)
 
+	cmd.AddCommand(NewCmdUpdate())
+
 	// Propagate settings to all subcommands
 	for _, subCmd := range cmd.Commands() {
 		subCmd.SilenceUsage = true

cmd/update.go

@@ -0,0 +1,30 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/gleanwork/glean-cli/internal/update"
+	"github.com/spf13/cobra"
+)
+
+func NewCmdUpdate() *cobra.Command {
+	return &cobra.Command{
+		Use:   "update",
+		Short: "Update the glean CLI to the latest version",
+		Long: `Check for a newer release of the glean CLI and install it.
+
+If glean was installed via Homebrew, this runs:
+  brew upgrade gleanwork/tap/glean-cli
+
+Otherwise the latest binary is downloaded from GitHub Releases,
+its SHA-256 checksum is verified, and the running binary is replaced.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Read cliVersion at call time, not construction time, so the
+			// ldflags-injected version (set via SetVersion in main) is used.
+			if err := update.Upgrade(cliVersion); err != nil {
+				return fmt.Errorf("update failed: %w", err)
+			}
+			return nil
+		},
+	}
+}

go.mod

@@ -28,6 +28,7 @@ require (
 )
 
 require (
+	aead.dev/minisign v0.2.0 // indirect
 	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	github.com/alecthomas/chroma/v2 v2.20.0 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
@@ -56,6 +57,7 @@ require (
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.19 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
+	github.com/minio/selfupdate v0.6.0 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/reflow v0.3.0 // indirect
@@ -66,6 +68,7 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yuin/goldmark v1.7.13 // indirect
 	github.com/yuin/goldmark-emoji v1.0.6 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.37.0 // indirect

go.sum

@@ -1,3 +1,5 @@
+aead.dev/minisign v0.2.0 h1:kAWrq/hBRu4AARY6AlciO83xhNnW9UaC8YipS2uhLPk=
+aead.dev/minisign v0.2.0/go.mod h1:zdq6LdSd9TbuSxchxwhpA9zEb9YXcVGoE8JakuiGaIQ=
 al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
 al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
@@ -103,6 +105,8 @@ github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byF
 github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
 github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
+github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU=
+github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
@@ -144,24 +148,42 @@ github.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJ
 github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
 github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
 golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
 golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
 golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210228012217-479acdf4ea46/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
 golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
 golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
 golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

internal/update/check.go

@@ -19,6 +19,7 @@ const (
 	cacheFile     = ".glean/update-check.json"
 	checkInterval = 24 * time.Hour
 	releaseAPIURL = "https://api.github.com/repos/gleanwork/glean-cli/releases/latest"
+	devVersion    = "dev"
 )
 
 type cacheEntry struct {
@@ -44,7 +45,7 @@ func CheckAsync(currentVersion string) <-chan string {
 
 func check(currentVersion string) string {
 	// Skip for dev builds.
-	if currentVersion == "dev" || currentVersion == "" {
+	if currentVersion == devVersion || currentVersion == "" {
 		return ""
 	}
 

internal/update/upgrade.go

@@ -0,0 +1,211 @@
+package update
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"bytes"
+	"compress/gzip"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/minio/selfupdate"
+)
+
+const (
+	releaseDownloadURL = "https://github.com/gleanwork/glean-cli/releases/download"
+	checksumFile       = "checksums.txt"
+	binaryName         = "glean"
+)
+
+// Upgrade checks for a newer release and installs it.
+// If the binary was installed via Homebrew it delegates to `brew upgrade`.
+// Otherwise it downloads the appropriate archive from GitHub Releases,
+// verifies its SHA-256 checksum, and atomically replaces the running binary.
+func Upgrade(currentVersion string) error {
+	if currentVersion == devVersion || currentVersion == "" {
+		return fmt.Errorf("cannot update a dev build — build from source instead")
+	}
+
+	// Homebrew-managed install: let brew handle the upgrade.
+	if isBrewInstall() {
+		return brewUpgrade()
+	}
+
+	fmt.Fprintln(os.Stderr, "Checking for updates...")
+
+	latest, err := fetchLatestTag()
+	if err != nil {
+		return fmt.Errorf("could not fetch latest release: %w", err)
+	}
+
+	if !isNewer(latest, currentVersion) {
+		fmt.Printf("Already up to date (%s)\n", currentVersion)
+		return nil
+	}
+
+	fmt.Fprintf(os.Stderr, "Updating %s → %s\n", currentVersion, latest)
+
+	assetName := assetFilename()
+	assetURL := fmt.Sprintf("%s/%s/%s", releaseDownloadURL, latest, assetName)
+	checksumURL := fmt.Sprintf("%s/%s/%s", releaseDownloadURL, latest, checksumFile)
+
+	archive, err := download(assetURL)
+	if err != nil {
+		return fmt.Errorf("download failed: %w", err)
+	}
+
+	if err := verifyChecksum(archive, assetName, checksumURL); err != nil {
+		return fmt.Errorf("checksum verification failed: %w", err)
+	}
+
+	binary, err := extractBinary(assetName, archive)
+	if err != nil {
+		return fmt.Errorf("could not extract binary: %w", err)
+	}
+
+	if err := selfupdate.Apply(bytes.NewReader(binary), selfupdate.Options{}); err != nil {
+		return fmt.Errorf("could not apply update: %w", err)
+	}
+
+	fmt.Printf("Updated to %s\n", latest)
+	return nil
+}
+
+// isBrewInstall reports whether the running binary lives inside a Homebrew Cellar.
+func isBrewInstall() bool {
+	exe, err := os.Executable()
+	if err != nil {
+		return false
+	}
+	return strings.Contains(exe, "/Cellar/") || strings.Contains(exe, "/homebrew/")
+}
+
+// brewUpgrade runs `brew upgrade gleanwork/tap/glean-cli`.
+func brewUpgrade() error {
+	fmt.Fprintln(os.Stderr, "Detected Homebrew install — running brew upgrade...")
+	cmd := exec.Command("brew", "upgrade", "gleanwork/tap/glean-cli")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+// assetFilename returns the expected archive name for the current platform.
+// Matches the GoReleaser name_template in .goreleaser.yaml:
+// glean-cli_{OS}_{arch}.tar.gz  (e.g. glean-cli_Darwin_arm64.tar.gz)
+func assetFilename() string {
+	goos := runtime.GOOS
+	goarch := runtime.GOARCH
+
+	// GoReleaser uses the `title` filter: "darwin" → "Darwin"
+	osName := strings.ToUpper(goos[:1]) + goos[1:]
+	archName := goarch
+	if goarch == "amd64" {
+		archName = "x86_64"
+	}
+
+	ext := "tar.gz"
+	if goos == "windows" {
+		ext = "zip"
+	}
+
+	return fmt.Sprintf("glean-cli_%s_%s.%s", osName, archName, ext)
+}
+
+// download fetches a URL and returns the body bytes.
+func download(url string) ([]byte, error) {
+	client := &http.Client{Timeout: 120 * time.Second}
+	resp, err := client.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("HTTP %d from %s", resp.StatusCode, url)
+	}
+	return io.ReadAll(resp.Body)
+}
+
+// verifyChecksum fetches checksums.txt and confirms the archive matches.
+func verifyChecksum(archive []byte, assetName, checksumURL string) error {
+	raw, err := download(checksumURL)
+	if err != nil {
+		return fmt.Errorf("could not fetch checksums: %w", err)
+	}
+
+	want := ""
+	for line := range strings.SplitSeq(string(raw), "\n") {
+		fields := strings.Fields(line)
+		if len(fields) == 2 && fields[1] == assetName {
+			want = fields[0]
+			break
+		}
+	}
+	if want == "" {
+		return fmt.Errorf("no checksum entry found for %s", assetName)
+	}
+
+	sum := sha256.Sum256(archive)
+	got := hex.EncodeToString(sum[:])
+	if got != want {
+		return fmt.Errorf("checksum mismatch: got %s want %s", got, want)
+	}
+	return nil
+}
+
+// extractBinary pulls the `glean` (or `glean.exe`) binary out of the archive.
+func extractBinary(assetName string, data []byte) ([]byte, error) {
+	if strings.HasSuffix(assetName, ".zip") {
+		return extractFromZip(data)
+	}
+	return extractFromTarGz(data)
+}
+
+func extractFromTarGz(data []byte) ([]byte, error) {
+	gz, err := gzip.NewReader(bytes.NewReader(data))
+	if err != nil {
+		return nil, err
+	}
+	defer gz.Close()
+
+	tr := tar.NewReader(gz)
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+		if hdr.Name == binaryName || strings.HasSuffix(hdr.Name, "/"+binaryName) {
+			return io.ReadAll(tr)
+		}
+	}
+	return nil, fmt.Errorf("glean binary not found in archive")
+}
+
+func extractFromZip(data []byte) ([]byte, error) {
+	r, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != nil {
+		return nil, err
+	}
+	for _, f := range r.File {
+		if f.Name == binaryName+".exe" || strings.HasSuffix(f.Name, "/"+binaryName+".exe") ||
+			f.Name == binaryName || strings.HasSuffix(f.Name, "/"+binaryName) {
+			rc, err := f.Open()
+			if err != nil {
+				return nil, err
+			}
+			defer rc.Close()
+			return io.ReadAll(rc)
+		}
+	}
+	return nil, fmt.Errorf("glean binary not found in archive")
+}