🐛 fix: prevent binary self-update from disabling provider auto-update (#6851)

* 🐛 fix: prevent binary self-update from disabling provider auto-update

After a binary self-update, the ExecUpdatedBinary() function was setting
MONDOO_AUTO_UPDATE=false to prevent infinite update loops. However, this
also disabled provider auto-installation because viper's AutomaticEnv()
picks up MONDOO_AUTO_UPDATE and maps it to the auto_update config key.

This fix introduces a separate internal environment variable
(MONDOO_BINARY_SELF_UPDATE_SKIP) that is only used for preventing binary
self-update loops. This ensures:

1. Binary self-update infinite loops are still prevented
2. Provider auto-installation works correctly in the re-exec'd process
3. User's explicit MONDOO_AUTO_UPDATE=false preference is still respected

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* 🧹 rename flag to MONDOO_AUTO_UPDATE_ENGINE to be consistent with other auto-update flag

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>

* 🟢 use t.Setenv on tests

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>

---------

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Dominik Richter <dominik.richter@gmail.com>

Author: 3 people

cli/selfupdate/exec_unix.go

@@ -13,8 +13,9 @@ import (
 // ExecUpdatedBinary replaces the current process with the updated binary.
 // On Unix systems, this uses syscall.Exec which replaces the current process entirely.
 func ExecUpdatedBinary(binaryPath string, args []string) error {
-	// Disable auto-update for the new process to prevent infinite loops
-	os.Setenv(EnvAutoUpdate, "false")
+	// Disable engine auto-update in the new process to prevent infinite update loops.
+	// Provider auto-update (which reads MONDOO_AUTO_UPDATE via viper) is not affected.
+	os.Setenv(EnvAutoUpdateEngine, "false")
 
 	// Replace the current process with the new binary
 	// syscall.Exec replaces the current process image with the new one

cli/selfupdate/exec_windows.go

@@ -14,8 +14,9 @@ import (
 // On Windows, syscall.Exec is not available, so we spawn a new process,
 // wait for it to complete, and exit with its exit code.
 func ExecUpdatedBinary(binaryPath string, args []string) error {
-	// Disable auto-update for the new process to prevent infinite loops
-	os.Setenv(EnvAutoUpdate, "false")
+	// Disable engine auto-update in the new process to prevent infinite update loops.
+	// Provider auto-update (which reads MONDOO_AUTO_UPDATE via viper) is not affected.
+	os.Setenv(EnvAutoUpdateEngine, "false")
 
 	// On Windows, we spawn the new process and wait for it to complete
 	cmd := exec.Command(binaryPath, args[1:]...)

cli/selfupdate/selfupdate.go

@@ -31,9 +31,14 @@ import (
 const (
 	// DefaultRefreshInterval is the minimum time between update checks in seconds (1 hour)
 	DefaultRefreshInterval = 3600
-	// EnvAutoUpdate can be set to "false" or "0" to disable auto-update.
-	// This is also set to "false" after an update to prevent infinite loops.
+	// EnvAutoUpdate can be set to "false" or "0" to disable all auto-updates
+	// (both engine binary and providers). When off, EnvAutoUpdateEngine is also off.
 	EnvAutoUpdate = "MONDOO_AUTO_UPDATE"
+	// EnvAutoUpdateEngine can be set to "false" or "0" to disable engine binary
+	// auto-update specifically. It is also set to "false" after a binary self-update
+	// to prevent infinite update loops. Provider auto-update (which reads
+	// MONDOO_AUTO_UPDATE via viper) is not affected by this variable.
+	EnvAutoUpdateEngine = "MONDOO_AUTO_UPDATE_ENGINE"
 	// DefaultReleaseURL is the URL to fetch the latest release information
 	DefaultReleaseURL = "https://releases.mondoo.com/mql/latest.json"
 	// markerFilePrefix is the prefix for per-binary marker files that track when the last update check occurred.
@@ -79,9 +84,16 @@ func CheckAndUpdate(cfg Config) (bool, error) {
 		return false, nil
 	}
 
-	// Skip if auto-update is disabled (also prevents infinite loops after an update)
+	// Skip if auto-update is disabled via environment (disables both engine and providers)
 	if val := os.Getenv(EnvAutoUpdate); val == "false" || val == "0" {
-		log.Debug().Msg("self-update: skipping, disabled via environment")
+		log.Debug().Msg("self-update: skipping, disabled via " + EnvAutoUpdate)
+		return false, nil
+	}
+
+	// Skip if engine auto-update is specifically disabled (e.g., after a binary self-update
+	// to prevent infinite loops, or when the user only wants provider auto-updates)
+	if val := os.Getenv(EnvAutoUpdateEngine); val == "false" || val == "0" {
+		log.Debug().Msg("self-update: skipping, disabled via " + EnvAutoUpdateEngine)
 		return false, nil
 	}
 

cli/selfupdate/selfupdate_test.go

@@ -0,0 +1,151 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package selfupdate
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCheckAndUpdate_EnvVarBehavior(t *testing.T) {
+	t.Run("skips when MONDOO_AUTO_UPDATE is false", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "false")
+		t.Setenv(EnvAutoUpdateEngine, "")
+
+		cfg := Config{
+			Enabled:        true,
+			CurrentVersion: "1.0.0",
+		}
+
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+
+	t.Run("skips when MONDOO_AUTO_UPDATE is 0", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "0")
+		t.Setenv(EnvAutoUpdateEngine, "")
+
+		cfg := Config{
+			Enabled:        true,
+			CurrentVersion: "1.0.0",
+		}
+
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+
+	t.Run("skips when MONDOO_AUTO_UPDATE_ENGINE is false", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "")
+		t.Setenv(EnvAutoUpdateEngine, "false")
+
+		cfg := Config{
+			Enabled:        true,
+			CurrentVersion: "1.0.0",
+		}
+
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+
+	t.Run("skips when MONDOO_AUTO_UPDATE_ENGINE is 0", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "")
+		t.Setenv(EnvAutoUpdateEngine, "0")
+
+		cfg := Config{
+			Enabled:        true,
+			CurrentVersion: "1.0.0",
+		}
+
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+
+	t.Run("skips engine when MONDOO_AUTO_UPDATE is on but MONDOO_AUTO_UPDATE_ENGINE is off", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "true")
+		t.Setenv(EnvAutoUpdateEngine, "false")
+
+		cfg := Config{
+			Enabled:        true,
+			CurrentVersion: "1.0.0",
+		}
+
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+
+	t.Run("MONDOO_AUTO_UPDATE off overrides MONDOO_AUTO_UPDATE_ENGINE on", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "false")
+		t.Setenv(EnvAutoUpdateEngine, "true")
+
+		cfg := Config{
+			Enabled:        true,
+			CurrentVersion: "1.0.0",
+		}
+
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+
+	t.Run("does not skip when neither env var is set", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "")
+		t.Setenv(EnvAutoUpdateEngine, "")
+
+		cfg := Config{
+			Enabled:        true,
+			CurrentVersion: "1.0.0-rolling", // Use rolling to skip network check
+		}
+
+		// Will return false due to rolling version, but won't skip due to env vars
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+
+	t.Run("skips when config is disabled", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "")
+		t.Setenv(EnvAutoUpdateEngine, "")
+
+		cfg := Config{
+			Enabled:        false,
+			CurrentVersion: "1.0.0",
+		}
+
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+
+	t.Run("skips for rolling version", func(t *testing.T) {
+		t.Setenv(EnvAutoUpdate, "")
+		t.Setenv(EnvAutoUpdateEngine, "")
+
+		cfg := Config{
+			Enabled:        true,
+			CurrentVersion: "1.0.0-rolling",
+		}
+
+		updated, err := CheckAndUpdate(cfg)
+		assert.NoError(t, err)
+		assert.False(t, updated)
+	})
+}
+
+// TestEnvVarSeparation verifies that MONDOO_AUTO_UPDATE_ENGINE is separate from
+// MONDOO_AUTO_UPDATE, ensuring that:
+// 1. Engine binary auto-update can be disabled independently of provider auto-update
+// 2. Provider auto-update (which reads MONDOO_AUTO_UPDATE via viper) is not affected
+func TestEnvVarSeparation(t *testing.T) {
+	t.Run("env vars are different", func(t *testing.T) {
+		assert.NotEqual(t, EnvAutoUpdate, EnvAutoUpdateEngine)
+		assert.Equal(t, "MONDOO_AUTO_UPDATE", EnvAutoUpdate)
+		assert.Equal(t, "MONDOO_AUTO_UPDATE_ENGINE", EnvAutoUpdateEngine)
+	})
+}