feat(install): ship curl|sh installer with embedded checksums#507
Merged
Conversation
Adds `scripts/install.sh.template`, a POSIX-sh installer modeled after mise
and uv. CI substitutes `__VERSION__` and per-target `__SHA_*__` placeholders
from the just-generated `.sha256` sidecars and uploads the rendered
`install.sh` to the release. Users get:
curl -fsSL https://github.com/boxlite-ai/boxlite/releases/latest/download/install.sh | sh
The script auto-detects target via uname, defaults to `$HOME/.local/bin`
(overridable with `BOXLITE_INSTALL_DIR`), verifies the tarball against the
embedded checksum on the fast path or fetches the `.sha256` sidecar for
non-current versions (`BOXLITE_VERSION=v...`), and atomically moves the
binary into place. Rejects macOS Intel and unsupported archs with a clear
error.
README's install block becomes a one-liner; the manual verify recipe
(sha256sum + gh attestation verify) stays underneath.
`scripts/release/install.sh.template` reflects what the file actually is:
release-time infrastructure consumed only by CI, not a script users run from
the repo. Matches the existing scripts/{build,ci,deploy,setup,images}/
subdir-by-purpose layout and leaves room for future release-side tooling
(release-note generator, version bumpers) alongside it.
…r pipe Two Codex adversarial review findings: 1. The installer extracted with default tar settings and then `mv`'d the binary into place. When run with sudo for /usr/local/bin, tar's ownership-restore can plant a /usr/local/bin/boxlite owned by the CI runner's UID (501 on macOS runners, 1001 on Ubuntu) — which on many Linux desktops happens to be the user's own UID, making a privileged PATH binary writable by an unprivileged process. starship's installer has the same bug; uv and mise dodge it by never recommending the root path. We can do better with one line. Switched to `tar --no-same-owner` + `install -m 0755`, both portable across macOS BSD tools and GNU coreutils. 2. README's "pin a version" snippet placed BOXLITE_VERSION/INSTALL_DIR before `curl`. POSIX rule: `VAR=val cmd1 | cmd2` decorates only cmd1, so the variables never reached the `sh` process actually running the installer. Moved the env-var prefix to the sh side of the pipe.
b1b63fe to
61a8d07
Compare
10 tasks
Member
Author
|
Addressed all three Codex adversarial-review findings:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scripts/install.sh.template, a POSIX-sh installer modeled on mise (mise.run) and uv (astral.sh/uv/install.sh).__VERSION__and the three__SHA_*__placeholders from the per-file.sha256sidecars generated in PR feat(release): curl|sh installer + SHA256SUMS + build provenance #506, then uploads the renderedinstall.shto the release. The substitution step has a sanity check that fails the workflow if any placeholder slipped through.curl … | shline. The manualsha256sum+gh attestation verifyrecipe stays below for users who download tarballs directly.How it works
release: published) builds the CLI on three targets.upload_to_releasejob downloads the artifacts, writes per-file.sha256sidecars, then rendersdist/install.shfromscripts/install.sh.template.BOXLITE_VERSION=v...) fall through to fetching<artifact>.sha256from the release.Behavior
\$HOME/.local/bin(overridable withBOXLITE_INSTALL_DIR).Darwin-arm64→aarch64-apple-darwin;Linux-x86_64→x86_64-unknown-linux-gnu;Linux-aarch64|arm64→aarch64-unknown-linux-gnu.curlorwget; usessha256sumorshasum -a 256. POSIXshonly (no bashisms).mktemp -d, verify, thenmvthe binary into place.Test plan
shellcheck scripts/install.sh.template— zero warnings.sh -non the template and on a locally-rendered copy — clean.seddry-run with fake checksums — placeholders correctly replaced.v0.0.0-rc1tag to a fork; confirminstall.shappears in the release with real checksums substituted in.curl … install.sh | shon macOS arm64:~/.local/bin/boxlite --versionmatches.curl … install.sh | shinsidedocker run -it ubuntu:22.04(withcurl ca-certificates): same.BOXLITE_VERSION=v9.9.9 curl … | sh— must fail clearly on 404.