ccleaner: remove installed cruft

[refack]

1. Add an elevated call to Unregister-ScheduledTask to "post_uninstall"
2. add dependency on gsudo

CCleaner (a.k.a. crap-cleaner) is now registering an admin privileged scheduled task that persist scoop uninstall, a.k.a. crap.
Ironic

• Use conventional PR title: <manifest-name[@version]|chore>: <general summary of the pull request>
• I have read the Contributing Guide

Summary by CodeRabbit

• Chores
  • Added a new system dependency requirement for installation.
  • Updated the packaged version string.
  • Improved update metadata to better support automatic updates.
  • Enhanced the uninstallation process to remove leftover shortcuts and unregister a related scheduled background task.

[coderabbitai]

Walkthrough

Updated bucket/ccleaner.json: added depends = gsudo, adjusted post_uninstall to unregister the CCleanerCrashReporting scheduled task and remove a .lnk, changed version string normalization and checkver regex to parse the portable build URL, and added an empty autoupdate hash URL field.

Changes

Cohort / File(s)	Summary
Manifest and scripts bucket/ccleaner.json	Added top-level depends field with value "gsudo"; extended post_uninstall to remove CCleaner.lnk and run Unregister-ScheduledTask -TaskName 'CCleanerCrashReporting' -Confirm:0 -ErrorAction Continue via gsudo.
Versioning & update metadata bucket/ccleaner.json	Updated version normalization from "6.39.11548" → "6.39"; changed checkver regex to parse portable URL download.ccleaner.com/portable/ccsetup(\d)(\d+).zip with replace $1.$2; added autoupdate hash object with empty url field.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Uninstaller
    participant PowerShell
    participant gsudo
    note over Uninstaller,PowerShell #DDEEFF: post_uninstall flow (elevated task removal)
    User->>Uninstaller: trigger uninstall
    Uninstaller->>PowerShell: execute post_uninstall script
    PowerShell->>gsudo: Invoke Unregister-ScheduledTask & remove .lnk
    gsudo-->>PowerShell: command result (success / continue on error)
    PowerShell-->>Uninstaller: post_uninstall completed
    Uninstaller-->>User: uninstall finished

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify depends placement and syntax for gsudo.
• Confirm post_uninstall paths (shortcut) and scheduled task name CCleanerCrashReporting.
• Validate the new checkver regex semantics and resulting version normalization.
• Ensure autoupdate.hash.url being empty is intentional or needs a real URL.

Poem

🐰 I nibbled at JSON, neat and spry,

declared a helper to lift things high,
I unlinked a shortcut and hushed a task's drum,
Version trimmed tidy — the updates hum.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "ccleaner: remove installed cruft" follows the conventional PR title format specified in the repository template (<manifest-name>: <general summary>). The title directly aligns with the main objective of the pull request: to remove an unwanted administrator-privileged scheduled task that CCleaner creates and that persists after uninstall. The term "cruft" accurately characterizes the leftover scheduled task being targeted for removal. The title is concise, clear, and specific enough that a reviewer scanning the history would immediately understand the primary change.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Your changes did not pass all checks.

Please address the issues in the manifest and comment starting with /verify to rerun the checks.

Invalid manifests

• ccleaner

Check the full log for details.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a6e5da2 and c6de7b2.

📒 Files selected for processing (1)

• bucket/ccleaner.json (2 hunks)

🧰 Additional context used

🪛 GitHub Actions: Pull Requests

bucket/ccleaner.json

[error] 1-1: Conversion failed. Invalid JSON in manifest. PR contains invalid manifests: ccleaner.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: WindowsPowerShell

🔇 Additional comments (2)

bucket/ccleaner.json (2)

37-38: Verify the scheduled task name matches CCleaner's actual registration.

The implementation assumes CCleaner registers a scheduled task named CCleanerCrashReporting. Confirm this task name is correct and persists across CCleaner versions.

---

6-6: gsudo dependency verified as valid Scoop package.

gsudo is available through Scoop and can be installed with scoop install gsudo. It is listed in the main Scoop bucket as a recommended tool for executing commands with administrative privileges. The dependency is appropriate for executing the admin-privileged Unregister-ScheduledTask command as documented.

[SorYoshino]

Before addressing the issues mentioned in this PR, we may need to first resolve the problem of the current manifest being unable to auto-update (see the ccleaner section in result.txt for details). Otherwise, the /verify check will always fail.

[refack]

Very quick looking around seems like CCleaner changed ownership from Piriform to the Avest/NortonLifeLock corp. It seems they have

1. Not keeping the portable version updated
   the "portable" link goes to https://download.ccleaner.com/portable/ccsetup639.zip
   the "free" link goes to https://bits.avcdn.net/productfamily_CCLEANER7/insttype_FREE/platform_WIN/installertype_ONLINE/build_RELEASE
2. added malware (see original PR content).

I formulated a workaround, but mostly for the mental exercise. I believe CCleaner should be removed from the bucket

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 500fe85 and 847a5f8.

📒 Files selected for processing (1)

• bucket/ccleaner.json (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-13T09:37:06.093Z

Learnt from: o-l-a-v
Repo: ScoopInstaller/Extras PR: 16328
File: bucket/winutil.json:0-0
Timestamp: 2025-10-13T09:37:06.093Z
Learning: When reviewing code in Scoop manifests, always verify the actual file content if the diff appears incomplete or unusual, as diff context can be truncated or displayed incorrectly. The pattern `[string[]](...).ForEach{...}` is commonly used in post_uninstall scripts across the Extras repository.

Applied to files:

• bucket/ccleaner.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: WindowsPowerShell

🔇 Additional comments (3)

bucket/ccleaner.json (3)

32-39: Verify post_uninstall correctly handles privileged task unregistration.

The post_uninstall now includes gsudo Unregister-ScheduledTask to remove the CCleanerCrashReporting task. Verify that:

• The -Confirm:0 -ErrorAction Continue flags correctly suppress confirmation and handle non-existent tasks gracefully (no error if task doesn't exist).
• gsudo is correctly invoked and properly depends on the gsudo package.
• The task name CCleanerCrashReporting matches the actual scheduled task name created by CCleaner.

This addresses the PR's core objective of removing leftover scheduled tasks.

---

40-43: Checkver regex extraction verified, but autoupdate hash verification is broken.

The checkver regex correctly extracts version components: ccsetup639.zip → major=6, minor=39, producing version 6.39. Scoop's autoupdate correctly splits version 6.39 on dots to populate $majorVersion=6 and $minorVersion=39, making the autoupdate URL template resolve correctly to https://download.ccleaner.com/portable/ccsetup639.zip (a valid URI).

However, the autoupdate section has a critical flaw: the hash.url field is empty. This prevents Scoop from verifying the downloaded file's integrity during autoupdate, breaking the autoupdate mechanism entirely. Provide a valid hash URL (or remove the empty hash object if hash verification is not supported for this URL).

⛔ Skipped due to learnings

Learnt from: o-l-a-v
Repo: ScoopInstaller/Extras PR: 16378
File: bucket/compactgui.json:20-22
Timestamp: 2025-10-19T13:58:23.389Z
Learning: In the ScoopInstaller/Extras repository, the CompactGUI manifest removed hash verification from the autoupdate block because the hash verification mechanism (scraping SHA-256 from release page HTML) is no longer available in newer CompactGUI releases. GitHub asset digests exist in beta releases but not in v3.8.0, and Scoop doesn't have built-in support for extracting from GitHub API asset digests.

Learnt from: Gitoffthelawn
Repo: ScoopInstaller/Extras PR: 16106
File: bucket/czkawka-gui.json:25-25
Timestamp: 2025-09-05T09:41:52.653Z
Learning: For czkawka-gui manifests in Scoop Extras, the correct upstream filename pattern for Windows GUI builds in recent versions uses "gtk46" (without underscore), not "gtk_46" (with underscore). The autoupdate URL should use "windows_czkawka_gui_gtk46.zip" format. This was confirmed by a working 10.0.0 update with valid hash.

Learnt from: o-l-a-v
Repo: ScoopInstaller/Extras PR: 16349
File: bucket/fvim.json:45-49
Timestamp: 2025-10-16T15:59:21.258Z
Learning: In Scoop manifests, the `autoupdate.url` and `autoupdate.architecture.<arch>.url` fields must be valid URIs according to the JSON schema (defined with `"format": "uri"`). Variables like `$matchUrlx64` that contain only path segments must be combined with a base URL (e.g., `https://github.com/.../releases/download/`) to form a complete valid URI.

Learnt from: Gitoffthelawn
Repo: ScoopInstaller/Extras PR: 16106
File: bucket/czkawka-gui.json:25-25
Timestamp: 2025-09-05T09:41:52.653Z
Learning: For czkawka-gui manifests in Scoop Extras, the correct upstream filename pattern for Windows GUI builds uses "gtk46" (without underscore), not "gtk_46" (with underscore). The autoupdate URL should use "windows_czkawka_gui_gtk46.zip" format.

---

2-2: The version truncation is intentional and correctly addresses a schema mismatch; the review comment's framing is inaccurate.

The version was intentionally changed from "6.39.11548" to "6.39" as part of a "workaround wonky schema and Piriform mismatch", not as a side-effect. Scoop compares dot-separated numeric fields left-to-right; 6.39 (treated as 6.39.0) will correctly sort as less than 6.39.11548, so version comparison and upgrades will function properly—there is no downgrade or compatibility risk.

However, there is a real trade-off: CCleaner frequently ships security and hotfixes by incrementing only the build number while keeping major.minor stable, and the new URL-based checkver strategy extracts version from the download filename (ccsetup639.zip → 6.39), which cannot detect build-only increments. This is a coverage limitation, not a version-comparison defect, and was an accepted trade-off to resolve the upstream schema inconsistency.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Empty hash URL disables integrity verification in autoupdate.

The autoupdate.hash.url field is set to an empty string, which prevents the autoupdate mechanism from verifying the integrity of downloaded files. This is a security and reliability risk.

Provide a valid hash URL or find an alternative hash verification method:

-        "hash": {
-            "url": ""
-        }
+        "hash": {
+            "url": "https://download.ccleaner.com/hashes.txt"
+        }

You may need to verify the actual hash source URL for CCleaner's portable builds.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In bucket/ccleaner.json around lines 47 to 49, the autoupdate.hash.url is an
empty string which disables integrity verification; replace the empty value with
the correct HTTPS URL that returns the hash for the CCleaner portable build (or
point to a trusted checksum file/endpoint for the exact build/version used), or
if no remote hash exists, remove the empty url and implement an alternative
verification (embed a pinned hash or fetch and validate a signed checksum) so
autoupdate can perform integrity checks instead of skipping them.

[SorYoshino]

I formulated a workaround, but mostly for the mental exercise. I believe CCleaner should be removed from the bucket

I believe we should contact the official team first to confirm whether they plan to continue providing portable builds in future releases. If they do not intend to maintain them, then CCleaner should first be moved to the Nonportable bucket, followed by initiating the deprecation process for the entry in the Extras bucket.

Alternatively, we could consider using ccsetup_offline_setup.exe as the new installer source. I performed a brief test, and it appears that it cannot be extracted using either Expand-7zipArchive or "innosetup": true. I am not certain whether there are other methods available to extract its contents.