Skip to content

deprecate installer script #182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joemiller merged 1 commit into from
May 14, 2026
Merged

deprecate installer script #182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 37 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,45 @@ Installing

[releases]: https://github.com/autotag-dev/autotag/releases/latest

### One-liner
### CI install (recommended): pinned binary + checksum

An install script generated by [godownloader](https://github.com/goreleaser/godownloader) is
available for all supported platforms. This is often a convenient option for CI pipelines.
For CI pipelines, download the binary directly from a pinned release and verify its SHA-256.
This is the recommended approach for supply-chain hardening — both the version and the expected
hash live in your workflow, so a tampered release artifact fails verification before the binary
is ever executed.

Examples:
Linux/amd64 example:

```sh
VERSION=v1.4.3
SHA256=85e7ec97d732800bb838085fd3f2e19b2aa2ee3a8da0db7fd0aaf4113a279f3a
curl -fsSLo /usr/local/bin/autotag \
"https://github.com/autotag-dev/autotag/releases/download/${VERSION}/autotag_linux_amd64"
echo "${SHA256} /usr/local/bin/autotag" | sha256sum -c -
chmod +x /usr/local/bin/autotag
```

The raw binary is published for each supported `${os}_${arch}` combination — substitute e.g.
`autotag_darwin_arm64` as needed. Only `curl` and `sha256sum` (or `shasum -a 256`) are required;
no `gh` CLI, no install script.

To capture the expected SHA when adopting or bumping a version, read it from the release's
_checksums.txt_:

```sh
curl -sL https://github.com/autotag-dev/autotag/releases/download/v1.4.3/autotag_1.4.3_checksums.txt \
| grep 'autotag_linux_amd64$'
```

### One-liner (deprecated)

> **Deprecated.** The install script below was generated by the unmaintained
> [godownloader](https://github.com/goreleaser/godownloader) project, is fetched via the
> retired `git.io` redirector, and performs no out-of-band integrity check beyond the
> `checksums.txt` served from the same release. Prefer the pinned-binary approach above for
> any new pipelines.

An install script for all supported platforms is available. Examples:

Download and install latest version of `autotag` at `./bin/autotag`:

Expand Down
7 changes: 7 additions & 0 deletions installer
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,13 @@ GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
uname_os_check "$OS"
uname_arch_check "$ARCH"

cat >&2 <<'EOF'
WARNING: this install script is deprecated and no longer maintained.
For CI pipelines, prefer the pinned-binary + checksum approach:
https://github.com/autotag-dev/autotag

EOF

parse_args "$@"

get_binaries
Expand Down
Loading