refactor(nightly): address PR review feedback

- Remove redundant job-level permissions (workflow-level already covers it)
- Remove checkout step from publish-nightly (not needed — no repo files used)
- Add sha256 verification for ORAS CLI tarball download
- Add comment explaining why binaries are compressed in publish-nightly
- Use -dev.<timestamp> version format (consistent with build-binary job)
- Add AbortError class to errors.ts, replace Object.assign hack in upgrade.ts
- Use Record mapping for platform name in getNightlyGzFilename
- Revert --nightly flag to --version nightly in install script

Author: BYK

.github/workflows/ci.yml

@@ -227,26 +227,18 @@ jobs:
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
     needs: [build-binary]
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     steps:
-      - uses: actions/checkout@v4
-
       - name: Download all binary artifacts
         uses: actions/download-artifact@v4
         with:
           pattern: sentry-*
           path: artifacts
           merge-multiple: true
 
-      - name: Install ORAS CLI
-        run: |
-          VERSION=1.2.3
-          curl -sfL "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz" \
-            | tar -xz -C /usr/local/bin oras
-
       - name: Compress binaries
+        # Build artifacts are raw binaries — compression for stable releases
+        # happens in Craft during publishing, not during build. GHCR nightly
+        # needs .gz for efficient OCI layers.
         run: |
           ls artifacts/
           for f in artifacts/sentry-linux-* artifacts/sentry-darwin-*; do
@@ -258,23 +250,29 @@ jobs:
           done
           ls artifacts/*.gz
 
+      - name: Install ORAS CLI
+        run: |
+          VERSION=1.2.3
+          EXPECTED_SHA256="b4efc97a91f471f323f193ea4b4d63d8ff443ca3aab514151a30751330852827"
+          TARBALL="oras_${VERSION}_linux_amd64.tar.gz"
+          curl -sfLo "$TARBALL" "https://github.com/oras-project/oras/releases/download/v${VERSION}/${TARBALL}"
+          echo "${EXPECTED_SHA256}  ${TARBALL}" | sha256sum -c -
+          tar -xz -C /usr/local/bin oras < "$TARBALL"
+          rm "$TARBALL"
+
       - name: Compute nightly version
         id: version
         run: |
-          # Derive a deterministic Unix timestamp from the commit so that all
-          # jobs in this workflow run produce the same version string.
-          TS=$(date -d '${{ github.event.head_commit.timestamp }}' +%s 2>/dev/null \
-               || date -j -f "%Y-%m-%dT%H:%M:%S%z" '${{ github.event.head_commit.timestamp }}' +%s 2>/dev/null \
-               || echo ${{ github.run_number }})
-          VERSION="0.0.0-nightly.${TS}"
+          # The build-binary job bakes X.Y.Z-dev.<TS> into each binary using the
+          # same COMMIT_TIMESTAMP env var. Re-derive the version here so the GHCR
+          # manifest annotation matches the version string inside the binary.
+          TS=$(date -d "$COMMIT_TIMESTAMP" +%s)
+          CURRENT=$(curl -sf "https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/package.json" \
+                    | awk -F'"' '/"version"/{print $4}')
+          VERSION=$(echo "$CURRENT" | sed "s/-dev\.[0-9]*$/-dev.${TS}/")
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "Nightly version: ${VERSION}"
 
-      - name: Create version.json
-        run: |
-          echo '{"version":"${{ steps.version.outputs.version }}"}' > version.json
-          cat version.json
-
       - name: Log in to GHCR
         run: echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
 
@@ -285,8 +283,7 @@ jobs:
             --artifact-type application/vnd.sentry.cli.nightly \
             --annotation "org.opencontainers.image.source=https://github.com/getsentry/cli" \
             --annotation "version=${VERSION}" \
-            artifacts/*.gz \
-            version.json
+            artifacts/*.gz
 
   test-e2e:
     name: E2E Tests

install

@@ -13,8 +13,7 @@ Usage: install [options]
 
 Options:
     -h, --help              Display this help message
-    -v, --version <version> Install a specific version (e.g., 0.2.0)
-        --nightly           Install the latest nightly build from GHCR
+    -v, --version <version> Install a specific version (e.g., 0.2.0) or "nightly"
         --no-modify-path    Don't modify shell config files (.zshrc, .bashrc, etc.)
         --no-completions    Don't install shell completions
 
@@ -25,13 +24,11 @@ Examples:
     curl -fsSL https://cli.sentry.dev/install | bash
     curl -fsSL https://cli.sentry.dev/install | bash -s -- --version nightly
     curl -fsSL https://cli.sentry.dev/install | bash -s -- --version 0.2.0
-    curl -fsSL https://cli.sentry.dev/install | bash -s -- --nightly
     SENTRY_INSTALL_DIR=~/.local/bin curl -fsSL https://cli.sentry.dev/install | bash
 EOF
 }
 
 requested_version=""
-nightly=false
 no_modify_path=false
 no_completions=false
 while [[ $# -gt 0 ]]; do
@@ -46,10 +43,6 @@ while [[ $# -gt 0 ]]; do
         exit 1
       fi
       ;;
-    --nightly)
-      nightly=true
-      shift
-      ;;
     --no-modify-path)
       no_modify_path=true
       shift
@@ -88,13 +81,6 @@ if [[ "$os" == "windows" ]]; then
   fi
 fi
 
-# Validate flag combinations
-if [[ "$nightly" == "true" && -n "$requested_version" ]]; then
-  echo -e "${RED}Error: --nightly and --version are mutually exclusive${NC}"
-  exit 1
-fi
-
-
 # Download binary to a temp location
 tmpdir="${TMPDIR:-${TMP:-${TEMP:-/tmp}}}"
 tmp_binary="${tmpdir}/sentry-install-$$${suffix}"
@@ -103,7 +89,7 @@ version=""
 # Clean up temp binary on failure (setup handles cleanup on success)
 trap 'rm -f "$tmp_binary"' EXIT
 
-if [[ "$nightly" == "true" ]]; then
+if [[ "$requested_version" == "nightly" ]]; then
   # Nightly build: download from GHCR via OCI blob protocol.
   # No jq needed — parse JSON with awk.
   # ghcr.io blob downloads redirect to Azure Blob Storage. curl -L would
@@ -202,8 +188,9 @@ chmod +x "$tmp_binary"
 # completions, agent skills, and the welcome message.
 # --channel persists the release channel so future `sentry cli upgrade`
 # calls track the same channel without requiring a flag.
-channel="nightly"
-if [[ "$nightly" != "true" ]]; then
+if [[ "$requested_version" == "nightly" ]]; then
+  channel="nightly"
+else
   channel="stable"
 fi
 setup_args="--install --method curl --channel $channel"

src/lib/errors.ts

@@ -376,6 +376,20 @@ export class SeerError extends CliError {
 
 // Error Utilities
 
+/**
+ * Thrown when an operation is cancelled via an AbortSignal.
+ *
+ * Matches the `error.name === "AbortError"` convention used throughout the
+ * codebase (version-check.ts, sentry-client.ts, binary.ts) to detect and
+ * silently swallow cancellation errors.
+ */
+export class AbortError extends Error {
+  override name = "AbortError" as const;
+  constructor() {
+    super("The operation was aborted");
+  }
+}
+
 /**
  * Convert an unknown value to a human-readable string.
  *

src/lib/ghcr.ts

@@ -156,7 +156,7 @@ export async function fetchNightlyManifest(
  * The version is set via `--annotation "version=<ver>"` during `oras push`.
  *
  * @param manifest - OCI manifest from {@link fetchNightlyManifest}
- * @returns Version string (e.g., "0.0.0-nightly.1740000000")
+ * @returns Version string (e.g., "0.13.0-dev.1740000000")
  * @throws {UpgradeError} When the version annotation is missing
  */
 export function getNightlyVersion(manifest: OciManifest): string {

src/lib/upgrade.ts

@@ -24,7 +24,7 @@ import {
 import { CLI_VERSION } from "./constants.js";
 import { getInstallInfo, setInstallInfo } from "./db/install-info.js";
 import type { ReleaseChannel } from "./db/release-channel.js";
-import { UpgradeError } from "./errors.js";
+import { AbortError, UpgradeError } from "./errors.js";
 import {
   downloadNightlyBlob,
   fetchNightlyManifest,
@@ -334,7 +334,7 @@ export async function fetchLatestFromNpm(): Promise<string> {
  * only 2 HTTP requests total (token + manifest), no blob download needed.
  *
  * @param signal - Optional AbortSignal to cancel the requests
- * @returns Latest nightly version string (e.g., "0.0.0-nightly.1740000000")
+ * @returns Latest nightly version string (e.g., "0.13.0-dev.1740000000")
  * @throws {UpgradeError} When fetch fails or the version annotation is missing
  */
 export async function fetchLatestNightlyVersion(
@@ -343,13 +343,13 @@ export async function fetchLatestNightlyVersion(
   // AbortSignal is not threaded through ghcr helpers, but checking it before
   // each network call ensures we bail out promptly when the process exits.
   if (signal?.aborted) {
-    throw Object.assign(new Error("AbortError"), { name: "AbortError" });
+    throw new AbortError();
   }
 
   const token = await getAnonymousToken();
 
   if (signal?.aborted) {
-    throw Object.assign(new Error("AbortError"), { name: "AbortError" });
+    throw new AbortError();
   }
 
   const manifest = await fetchNightlyManifest(token);
@@ -359,13 +359,14 @@ export async function fetchLatestNightlyVersion(
 /**
  * Detect if the given version string represents a nightly build.
  *
- * Nightly versions follow the pattern `0.0.0-nightly.<timestamp>`.
+ * Nightly versions follow the pattern `X.Y.Z-dev.<timestamp>` (the same
+ * format the build system bakes in via `sed "s/-dev\.[0-9]*$/-dev.${TS}/"`).
  *
  * @param version - Version string to check
  * @returns true if the version is a nightly build
  */
 export function isNightlyVersion(version: string): boolean {
-  return version.includes("-nightly.");
+  return version.includes("-dev.");
 }
 
 /**
@@ -468,14 +469,11 @@ async function streamDecompressToFile(
  * @returns Filename of the gzip-compressed binary for this platform
  */
 function getNightlyGzFilename(): string {
-  let os: string;
-  if (process.platform === "darwin") {
-    os = "darwin";
-  } else if (process.platform === "win32") {
-    os = "windows";
-  } else {
-    os = "linux";
-  }
+  const platformNames: Record<string, string> = {
+    darwin: "darwin",
+    win32: "windows",
+  };
+  const os = platformNames[process.platform] ?? "linux";
   const arch = process.arch === "arm64" ? "arm64" : "x64";
   const suffix = process.platform === "win32" ? ".exe" : "";
   return `sentry-${os}-${arch}${suffix}.gz`;

src/lib/version-check.ts

@@ -1,7 +1,7 @@
 /**
  * Background version check for "new version available" notifications.
  *
- * For nightly builds (CLI_VERSION contains "-nightly."), checks GHCR for the
+ * For nightly builds (CLI_VERSION contains "-dev.<timestamp>"), checks GHCR for the
  * latest nightly version via the OCI manifest annotation. For stable builds,
  * checks GitHub Releases. Results are cached in the database and shown on
  * subsequent runs.

test/commands/cli/upgrade.test.ts

@@ -367,7 +367,7 @@ describe("sentry cli upgrade", () => {
 
   describe("nightly version check", () => {
     test("--check mode with 'nightly' positional fetches latest from GHCR", async () => {
-      const nightlyVersion = "0.0.0-nightly.1740000000";
+      const nightlyVersion = "0.0.0-dev.1740000000";
       // 'nightly' as positional switches channel to nightly — fetches from GHCR
       mockGhcrNightlyVersion(nightlyVersion);
 
@@ -386,7 +386,7 @@ describe("sentry cli upgrade", () => {
     });
 
     test("--check with 'nightly' positional shows upgrade hint when newer nightly available", async () => {
-      const nightlyVersion = "0.0.0-nightly.1740000000";
+      const nightlyVersion = "0.0.0-dev.1740000000";
       mockGhcrNightlyVersion(nightlyVersion);
 
       const { context, output } = createMockContext({ homeDir: testDir });
@@ -691,7 +691,7 @@ describe("sentry cli upgrade — curl full upgrade path (Bun.spawn spy)", () =>
         }
         return new Response(
           JSON.stringify({
-            annotations: { version: "0.99.0-nightly.1234567890" },
+            annotations: { version: "0.99.0-dev.1234567890" },
             layers: [
               {
                 digest: "sha256:abc123",
@@ -808,7 +808,7 @@ describe("sentry cli upgrade — migrateToStandaloneForNightly (Bun.spawn spy)",
         }
         return new Response(
           JSON.stringify({
-            annotations: { version: "0.99.0-nightly.1234567890" },
+            annotations: { version: "0.99.0-dev.1234567890" },
             layers: [
               {
                 digest: "sha256:abc456",

test/lib/ghcr.test.ts

@@ -57,7 +57,7 @@ function makeManifest(overrides: Partial<OciManifest> = {}): OciManifest {
       },
     ],
     annotations: {
-      version: "0.0.0-nightly.1740000000",
+      version: "0.0.0-dev.1740000000",
       "org.opencontainers.image.source": "https://github.com/getsentry/cli",
     },
     ...overrides,
@@ -174,7 +174,7 @@ describe("fetchNightlyManifest", () => {
 describe("getNightlyVersion", () => {
   test("extracts version from manifest annotations", () => {
     const manifest = makeManifest();
-    expect(getNightlyVersion(manifest)).toBe("0.0.0-nightly.1740000000");
+    expect(getNightlyVersion(manifest)).toBe("0.0.0-dev.1740000000");
   });
 
   test("throws UpgradeError when version annotation is missing", () => {

test/lib/upgrade.test.ts

@@ -377,7 +377,7 @@ describe("fetchLatestVersion", () => {
       if (urlStr.includes("/manifests/nightly")) {
         return new Response(
           JSON.stringify({
-            annotations: { version: "0.0.0-nightly.1740393600" },
+            annotations: { version: "0.0.0-dev.1740393600" },
           }),
           { status: 200 }
         );
@@ -386,7 +386,7 @@ describe("fetchLatestVersion", () => {
     });
 
     const version = await fetchLatestVersion("curl", "nightly");
-    expect(version).toBe("0.0.0-nightly.1740393600");
+    expect(version).toBe("0.0.0-dev.1740393600");
   });
 
   test("uses GHCR manifest when channel is nightly (npm method)", async () => {
@@ -399,7 +399,7 @@ describe("fetchLatestVersion", () => {
       if (urlStr.includes("/manifests/nightly")) {
         return new Response(
           JSON.stringify({
-            annotations: { version: "0.0.0-nightly.1740393600" },
+            annotations: { version: "0.0.0-dev.1740393600" },
           }),
           { status: 200 }
         );
@@ -408,7 +408,7 @@ describe("fetchLatestVersion", () => {
     });
 
     const version = await fetchLatestVersion("npm", "nightly");
-    expect(version).toBe("0.0.0-nightly.1740393600");
+    expect(version).toBe("0.0.0-dev.1740393600");
   });
 
   test("defaults to stable channel (uses GitHub) when channel omitted", async () => {
@@ -1074,8 +1074,8 @@ describe("startCleanupOldBinary", () => {
 
 describe("isNightlyVersion", () => {
   test("returns true for nightly version strings", () => {
-    expect(isNightlyVersion("0.0.0-nightly.1740000000")).toBe(true);
-    expect(isNightlyVersion("0.0.0-nightly.1")).toBe(true);
+    expect(isNightlyVersion("0.0.0-dev.1740000000")).toBe(true);
+    expect(isNightlyVersion("0.0.0-dev.1")).toBe(true);
   });
 
   test("returns false for stable version strings", () => {
@@ -1104,7 +1104,7 @@ describe("fetchLatestNightlyVersion", () => {
           JSON.stringify({
             schemaVersion: 2,
             layers: [],
-            annotations: { version: "0.0.0-nightly.1740000000" },
+            annotations: { version: "0.0.0-dev.1740000000" },
           }),
           {
             status: 200,
@@ -1118,7 +1118,7 @@ describe("fetchLatestNightlyVersion", () => {
     });
 
     const version = await fetchLatestNightlyVersion();
-    expect(version).toBe("0.0.0-nightly.1740000000");
+    expect(version).toBe("0.0.0-dev.1740000000");
     expect(callCount).toBe(2); // token + manifest
   });
 
@@ -1219,7 +1219,7 @@ describe("executeUpgrade with curl method (nightly)", () => {
                 annotations: { "org.opencontainers.image.title": title },
               },
             ],
-            annotations: { version: "0.0.0-nightly.1740000000" },
+            annotations: { version: "0.0.0-dev.1740000000" },
           }),
           { status: 200 }
         );
@@ -1231,7 +1231,7 @@ describe("executeUpgrade with curl method (nightly)", () => {
       return new Response("Not Found", { status: 404 });
     });
 
-    const result = await executeUpgrade("curl", "0.0.0-nightly.1740000000");
+    const result = await executeUpgrade("curl", "0.0.0-dev.1740000000");
 
     expect(result).not.toBeNull();
     expect(result).toHaveProperty("tempBinaryPath");