Non-disruptive upgrade: staged install with in-process file copy#1958
Merged
Conversation
tyrielv
force-pushed
the
tyrielv/streamlined-upgrade
branch
13 times, most recently
from
3118ffa to
0c938a7
Compare
dscho
approved these changes
May 6, 2026
tyrielv
force-pushed
the
tyrielv/streamlined-upgrade
branch
from
0c938a7 to
2322165
Compare
Add staged upgrade mode to the installer, activated by /KEEPMOUNTED=true
in silent installs or via dialog in interactive mode. Without this flag,
the installer behaves as before.
When staging:
- Most files go to {app}\PendingUpgrade\ instead of replacing in-place
- GVFS.Service.exe is replaced directly (brief stop/start)
- Mount processes continue running on old binaries throughout
- .ready marker written after all files staged (guards against partial)
When not staging (clean upgrade):
- CloseApplications=no prevents Restart Manager from killing processes
- Force-kill GVFS processes if unmount-all fails to clean up
- WaitForServiceProcessToExit polls sc query after sc stop/delete
Assisted-by: Claude Opus 4.6
Signed-off-by: Tyrie Vella <tyrielv@gmail.com>
tyrielv
force-pushed
the
tyrielv/streamlined-upgrade
branch
from
2322165 to
7dc96b3
Compare
mjcheetham
reviewed
May 7, 2026
Add PendingUpgradeHandler to apply staged upgrades using atomic file moves (old files to PreviousVersion, staged files to install dir). Skips GVFS.Service.exe (already replaced by installer, locked by running service). Safety mechanisms: - .ready marker: rejects PendingUpgrade if installer was interrupted - .phase1-complete marker: ensures crash during backup is recoverable (incomplete Phase 1 is restored and retried, not skipped) - Defers if any GVFS.Mount processes are still running Trigger upgrade in two ways: - On service start: checks before automount - After repo unmount: timer-based debounce (5s) so multiple unmounts in quick succession result in a single upgrade attempt Assisted-by: Claude Opus 4.6 Signed-off-by: Tyrie Vella <tyrielv@gmail.com>
Add upgrade-tests.yaml with matrix of 5 scenarios: - staging-upgrade: LKG -> mount -> stage -> unmount -> verify completion - clean-upgrade: LKG -> mount -> clean install -> verify - double-staging: stage twice, verify second overwrites first - staging-then-clean: stage then clean install removes PendingUpgrade - mount-safety-deferral: verify upgrade defers while mount is running Wire into build.yaml as a required check alongside functional tests. Assisted-by: Claude Opus 4.6 Signed-off-by: Tyrie Vella <tyrielv@gmail.com>
tyrielv
force-pushed
the
tyrielv/streamlined-upgrade
branch
from
7dc96b3 to
116c1bb
Compare
KeithIsSleeping
approved these changes
May 7, 2026
tyrielv
added a commit
that referenced
this pull request
May 8, 2026
Address review feedback from #1958: - StopService/StagingUpdateService: check sc.exe exit code separately from Exec launch failure. Previously non-zero sc.exe results were silently ignored. - Timer race: wrap pendingUpgradeTimer create/reset in a lock. Two concurrent unmounts on separate pipe threads could both observe null and create duplicate timers, causing parallel TryApplyPendingUpgrade. - .ready race: move service start from AfterInstall hook to ssPostInstall after .ready marker is written. Previously the service could start its 5s debounce timer before .ready existed, skip the upgrade, and leave staged files until the next service restart. Assisted-by: Claude Opus 4.6 Signed-off-by: Tyrie Vella <tyrielv@gmail.com>
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
To roll out upgrades automatically (e.g. via fleet management or scheduled tasks), the installer needs to work without disrupting active GVFS mounts. Today, upgrading requires unmounting all repos — interrupting builds, IDE indexing, and any in-progress work. This PR adds a staged upgrade mode so users can be moved to newer versions transparently.
Changes
Installer (Setup.iss)
New
/STAGEIFMOUNTED=trueflag for silent installs (default: false — existing behavior preserved). Interactive installs show a dialog when mounts are detected. When staging:{app}\PendingUpgrade\instead of replacing in-placeGVFS.Service.exeis replaced directly (brief stop/start — mounts unaffected).readymarker is written after all files are staged (guards against partial writes from interrupted installs)CloseApplications=noprevents Restart Manager from killing GVFS processes. The clean upgrade path now force-kills processes ifunmount-allfails to clean up.Service (PendingUpgradeHandler.cs, RequestHandler.cs)
Completes the staged upgrade when no mounts are running:
The upgrade uses atomic
File.Movein two phases:PreviousVersion\(with.phase1-completemarker for crash recovery)Safety: defers if GVFS.Mount processes are still running. Rejects PendingUpgrade without
.readymarker. Crash mid-Phase-1 restores backed-up files and retries.CI (upgrade-tests.yaml)
Five test scenarios: staging upgrade, clean upgrade, double staging, staging-then-clean, and mount safety deferral.