From e8a87f3059f85fce1ccdb10077ffa14b7f9c1c3e Mon Sep 17 00:00:00 2001
From: joe miller <joeym@joeym.net>
Date: Thu, 14 May 2026 14:34:54 +0000
Subject: [PATCH] deprecate installer script

The install script used by the `curl -sL https://git.io/autotag-install | sh` instructions was generated by godownloader years ago and does provide a way to verify against a checksum provided as input. While it does verify checksums downloaded from github releases, this is not sufficient in the current era of increasing supply chain attacks. An attacker could compromise the github repo and replace any release binary along with checksums.

Recommend users manually (or using automation) retrieve version + checksum and hardcode both in their CI pipelines.
---
 README.md | 41 +++++++++++++++++++++++++++++++++++++----
 installer |  7 +++++++
 2 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 71dcad1..361d8e3 100644
--- a/README.md
+++ b/README.md
@@ -38,12 +38,45 @@ Installing
 
 [releases]: https://github.com/autotag-dev/autotag/releases/latest
 
-### One-liner
+### CI install (recommended): pinned binary + checksum
 
-An install script generated by [godownloader](https://github.com/goreleaser/godownloader) is
-available for all supported platforms. This is often a convenient option for CI pipelines.
+For CI pipelines, download the binary directly from a pinned release and verify its SHA-256.
+This is the recommended approach for supply-chain hardening — both the version and the expected
+hash live in your workflow, so a tampered release artifact fails verification before the binary
+is ever executed.
 
-Examples:
+Linux/amd64 example:
+
+```sh
+VERSION=v1.4.3
+SHA256=85e7ec97d732800bb838085fd3f2e19b2aa2ee3a8da0db7fd0aaf4113a279f3a
+curl -fsSLo /usr/local/bin/autotag \
+  "https://github.com/autotag-dev/autotag/releases/download/${VERSION}/autotag_linux_amd64"
+echo "${SHA256}  /usr/local/bin/autotag" | sha256sum -c -
+chmod +x /usr/local/bin/autotag
+```
+
+The raw binary is published for each supported `${os}_${arch}` combination — substitute e.g.
+`autotag_darwin_arm64` as needed. Only `curl` and `sha256sum` (or `shasum -a 256`) are required;
+no `gh` CLI, no install script.
+
+To capture the expected SHA when adopting or bumping a version, read it from the release's
+_checksums.txt_:
+
+```sh
+curl -sL https://github.com/autotag-dev/autotag/releases/download/v1.4.3/autotag_1.4.3_checksums.txt \
+  | grep 'autotag_linux_amd64$'
+```
+
+### One-liner (deprecated)
+
+> **Deprecated.** The install script below was generated by the unmaintained
+> [godownloader](https://github.com/goreleaser/godownloader) project, is fetched via the
+> retired `git.io` redirector, and performs no out-of-band integrity check beyond the
+> `checksums.txt` served from the same release. Prefer the pinned-binary approach above for
+> any new pipelines.
+
+An install script for all supported platforms is available. Examples:
 
 Download and install latest version of `autotag` at `./bin/autotag`:
 
diff --git a/installer b/installer
index 4e7ea0f..76cba26 100644
--- a/installer
+++ b/installer
@@ -354,6 +354,13 @@ GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
 uname_os_check "$OS"
 uname_arch_check "$ARCH"
 
+cat >&2 <<'EOF'
+WARNING: this install script is deprecated and no longer maintained.
+         For CI pipelines, prefer the pinned-binary + checksum approach:
+         https://github.com/autotag-dev/autotag
+
+EOF
+
 parse_args "$@"
 
 get_binaries