feat(release): sh.boxlite.ai Cloudflare Worker for installer#510
Merged
Conversation
Add a Cloudflare Worker that serves the latest GitHub Release's install.sh at https://sh.boxlite.ai, so users can run: curl -fsSL https://sh.boxlite.ai | sh The Worker is a byte-passthrough proxy with a 5-min edge cache and a Content-Type override (text/x-shellscript), so the install.sh trust model (sigstore attestation, embedded SHA256 checksums, .sha256 sidecars on the release) stays anchored to the GitHub Release. README's verify-before-pipe section keeps the long GitHub URL for that reason. Deploy is manual (npx wrangler deploy from scripts/release/sh-installer/); Worker source rarely changes so a CI workflow is overkill.
sh.boxlite.ai is the convenience entry point; the long GitHub Releases URL is the verifiable upstream (it's what gh attestation verify covers). Listing both in the Usage header lets readers pick the trust posture they want without digging into the README.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sh.boxlite.aithat proxies the latest GitHub Release'sinstall.sh, enablingcurl -fsSL https://sh.boxlite.ai | shas a memorable entry point alongside the existing long URL.Content-Type: text/x-shellscriptoverride; the install.sh trust model (sigstore attestation + embedded checksums +.sha256sidecars) stays anchored to the GitHub Release, not to the Worker.sh.boxlite.aias the primary URL; verify-before-pipe section deliberately keeps the GitHub Releases URL since that's where the attestation lives.BOXLITE_VERSION=v0.9.4 curl -fsSL https://sh.boxlite.ai | shworks (matches rustup/pnpm/mise env-var pattern).npx wrangler deploy.Test plan
cd scripts/release/sh-installer && npx wrangler login && npx wrangler deploy(one-time setup; auto-provisions DNS + TLS forsh.boxlite.ai)curl -I https://sh.boxlite.aireturns200,content-type: text/x-shellscript,server: cloudflarediff <(curl -fsSL https://sh.boxlite.ai) <(curl -fsSL https://github.com/boxlite-ai/boxlite/releases/latest/download/install.sh)shows no diffcurl -fsSL https://sh.boxlite.ai | shinstallsboxliteto~/.local/bin/BOXLITE_VERSION=v0.9.4 curl -fsSL https://sh.boxlite.ai | shpins to v0.9.4curl -X POST https://sh.boxlite.aireturns405 Method not allowed