diff --git a/README.md b/README.md index 71dcad1..361d8e3 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,45 @@ Installing [releases]: https://github.com/autotag-dev/autotag/releases/latest -### One-liner +### CI install (recommended): pinned binary + checksum -An install script generated by [godownloader](https://github.com/goreleaser/godownloader) is -available for all supported platforms. This is often a convenient option for CI pipelines. +For CI pipelines, download the binary directly from a pinned release and verify its SHA-256. +This is the recommended approach for supply-chain hardening — both the version and the expected +hash live in your workflow, so a tampered release artifact fails verification before the binary +is ever executed. -Examples: +Linux/amd64 example: + +```sh +VERSION=v1.4.3 +SHA256=85e7ec97d732800bb838085fd3f2e19b2aa2ee3a8da0db7fd0aaf4113a279f3a +curl -fsSLo /usr/local/bin/autotag \ + "https://github.com/autotag-dev/autotag/releases/download/${VERSION}/autotag_linux_amd64" +echo "${SHA256} /usr/local/bin/autotag" | sha256sum -c - +chmod +x /usr/local/bin/autotag +``` + +The raw binary is published for each supported `${os}_${arch}` combination — substitute e.g. +`autotag_darwin_arm64` as needed. Only `curl` and `sha256sum` (or `shasum -a 256`) are required; +no `gh` CLI, no install script. + +To capture the expected SHA when adopting or bumping a version, read it from the release's +_checksums.txt_: + +```sh +curl -sL https://github.com/autotag-dev/autotag/releases/download/v1.4.3/autotag_1.4.3_checksums.txt \ + | grep 'autotag_linux_amd64$' +``` + +### One-liner (deprecated) + +> **Deprecated.** The install script below was generated by the unmaintained +> [godownloader](https://github.com/goreleaser/godownloader) project, is fetched via the +> retired `git.io` redirector, and performs no out-of-band integrity check beyond the +> `checksums.txt` served from the same release. Prefer the pinned-binary approach above for +> any new pipelines. + +An install script for all supported platforms is available. Examples: Download and install latest version of `autotag` at `./bin/autotag`: diff --git a/installer b/installer index 4e7ea0f..76cba26 100644 --- a/installer +++ b/installer @@ -354,6 +354,13 @@ GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download uname_os_check "$OS" uname_arch_check "$ARCH" +cat >&2 <<'EOF' +WARNING: this install script is deprecated and no longer maintained. + For CI pipelines, prefer the pinned-binary + checksum approach: + https://github.com/autotag-dev/autotag + +EOF + parse_args "$@" get_binaries