From d702f745829a3441282669ae3598e87b13e150fe Mon Sep 17 00:00:00 2001
From: kone <man209111@gmail.com>
Date: Tue, 9 Jun 2026 01:13:48 +0800
Subject: [PATCH] fix: add binary release assets to CI and update download
 allowlist

- Build linux_amd64 binary in CI and upload to Gitea release assets
- Add checksums.txt for integrity verification
- Update allowed download hosts to Gitea domain/IP
---
 .gitea/workflows/release-image.yml         | 32 ++++++++++++++++++++--
 backend/internal/service/update_service.go |  6 ++--
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/release-image.yml b/.gitea/workflows/release-image.yml
index 356575a5..048afa8c 100644
--- a/.gitea/workflows/release-image.yml
+++ b/.gitea/workflows/release-image.yml
@@ -81,6 +81,18 @@ jobs:
           docker push "$IMAGE_NAME:$VERSION"
           docker push "$IMAGE_NAME:latest"
 
+      - name: Build binary
+        run: |
+          set -eu
+          cd backend
+          CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+            -ldflags "-s -w -X main.Version=${VERSION} -X main.Commit=${COMMIT} -X main.BuildDate=${BUILD_DATE}" \
+            -o /tmp/sub2api \
+            ./cmd/server
+          cd /tmp
+          tar -czf "sub2api_linux_amd64.tar.gz" sub2api
+          sha256sum "sub2api_linux_amd64.tar.gz" > checksums.txt
+
       - name: Create Gitea release
         env:
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
@@ -88,9 +100,25 @@ jobs:
           set -eu
           BODY="Docker image: ${IMAGE_NAME}:${VERSION}"
           PAYLOAD=$(printf '{"tag_name":"%s","target_commitish":"%s","name":"Sub2API %s","body":"%s","draft":false,"prerelease":false}' "$TAG" "$(git rev-parse HEAD)" "$VERSION" "$BODY")
-          curl -fsS \
+          RELEASE_ID=$(curl -fsS \
             -X POST \
             -H "Authorization: token ${RELEASE_TOKEN}" \
             -H "Content-Type: application/json" \
             -d "$PAYLOAD" \
-            "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases" || true
+            "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases" | grep -o '"id":[0-9]*' | head -1 | grep -o '[0-9]*')
+
+          # Upload binary archive
+          curl -fsS \
+            -X POST \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @/tmp/sub2api_linux_amd64.tar.gz \
+            "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases/${RELEASE_ID}/assets?name=sub2api_linux_amd64.tar.gz"
+
+          # Upload checksums
+          curl -fsS \
+            -X POST \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: text/plain" \
+            --data-binary @/tmp/checksums.txt \
+            "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases/${RELEASE_ID}/assets?name=checksums.txt"
diff --git a/backend/internal/service/update_service.go b/backend/internal/service/update_service.go
index 28026805..77f5d110 100644
--- a/backend/internal/service/update_service.go
+++ b/backend/internal/service/update_service.go
@@ -22,11 +22,11 @@ import (
 const (
 	updateCacheKey    = "update_check_cache"
 	updateCacheTTL    = 1200 // 20 minutes
-	defaultGitHubRepo = "man209111-cpu/sub2api"
+	defaultGitHubRepo = "kgod/sub2api"
 
 	// Security: allowed download domains for updates
-	allowedDownloadHost = "github.com"
-	allowedAssetHost    = "objects.githubusercontent.com"
+	allowedDownloadHost = "git.jianshixingqiu.com"
+	allowedAssetHost    = "8.138.12.104"
 
 	// Security: max download size (500MB)
 	maxDownloadSize = 500 * 1024 * 1024