fix(website): add manual verification instructions to install script

[jakobmoellerdev]

Summary

When gh is unavailable or unauthenticated, show detailed manual verification instructions instead of a terse warning. Three options: gh attestation verify, cosign verify-blob-attestation, and manual SHA-256 hash check via the public GitHub attestation API.

Closes #2348

Test plan

• bash install-cli.sh with gh authenticated → attestation verified
• bash install-cli.sh without gh → detailed warning printed
• OCM_SKIP_VERIFY=true → no warning
• Option B (cosign) verified against cli/v0.5.0 and cli/v0.6.0-rc.1
• CI test updated to match new warning format

Verification

• I have added/updated tests for my changes (see Test Requirements)
• Tests pass locally (task test and task test/integration if applicable)
• My changes do not decrease test coverage
• I have tested the changes locally by running ocm

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	92786e2
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a01ed529949d80007380495
😎 Deploy Preview	https://deploy-preview-2484--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1b128e7c-14ef-447a-92ff-dcddb858ef50

📥 Commits

Reviewing files that changed from the base of the PR and between 43ed6a5 and 18e2981.

📒 Files selected for processing (2)

• website/content/docs/getting-started/ocm-cli-installation.md
• website/static/install-cli.sh

✅ Files skipped from review due to trivial changes (1)

• website/content/docs/getting-started/ocm-cli-installation.md

🚧 Files skipped from review as they are similar to previous changes (1)

• website/static/install-cli.sh

---

📝 Walkthrough

Walkthrough

Adds a helper that prints multi-option manual verification steps when GitHub attestation cannot run (missing or unauthenticated gh), updates verify_binary to call it and continue installation, updates workflow tests to assert the new messages, and adds documentation describing the manual verification methods.

Changes

Manual Verification Instructions Workflow

Layer / File(s)	Summary
Manual Verification Helper website/static/install-cli.sh	New print_verify_instructions(reason) function emits a prominent BINARY NOT CRYPTOGRAPHICALLY VERIFIED banner and three manual verification options (GitHub CLI, cosign via GitHub API, manual SHA-256 check); documents OCM_SKIP_VERIFY=true.
Binary Verification with Manual Guidance website/static/install-cli.sh	verify_binary updated to call print_verify_instructions(reason) and return 0 when gh is missing or unauthenticated; existing OCM_SKIP_VERIFY early-skip and authenticated gh attestation verify behavior unchanged.
Test Verification .github/workflows/website-live-test-install-script.yml	Live-install test assertions updated to check logs for BINARY NOT CRYPTOGRAPHICALLY VERIFIED and Reason: GitHub CLI is not authenticated.
Documentation: Verify Binary Authenticity website/content/docs/getting-started/ocm-cli-installation.md	Adds a “Verify Binary Authenticity” section describing provenance checks and three manual verification workflows: gh attestation verify, cosign verify-blob-attestation from GitHub API, and SHA-256 digest comparison with curl/jq/base64.

Sequence Diagram(s)

sequenceDiagram
  participant Installer
  participant verify_binary
  participant print_verify_instructions
  participant gh
  Installer->>verify_binary: call verify_binary(binary_path)
  verify_binary->>gh: check gh presence & auth (gh auth status --hostname github.com)
  alt gh missing or not authenticated
    verify_binary->>print_verify_instructions: print reason ("GitHub CLI is not authenticated" / "gh not found")
    print_verify_instructions->>Installer: emit BINARY NOT CRYPTOGRAPHICALLY VERIFIED + manual steps
    verify_binary->>Installer: return 0 (continue install)
  else gh available and authenticated
    verify_binary->>gh: gh attestation verify --subject <binary>
    alt attestation succeeds
      verify_binary->>Installer: return 0
    else attestation fails
      verify_binary->>Installer: fatal (terminate)
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• open-component-model/open-component-model#2322: Both PRs modify website/static/install-cli.sh's verification behavior and related workflow checks.

Suggested reviewers

• morri-son
• fabianburth

Poem

🐇 I hopped to the installer, gave a helpful cheer,
"If gh is not with you, the steps are clear.
Cosign, curl, or gh—three paths to show,
A banner to warn when provenance can't go.
Safe hops onward, rabbit-approved and near."

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding manual verification instructions to the install script when gh is unavailable.
Description check	✅ Passed	The description is well-related to the changeset, explaining the motivation, implementation details, testing, and linking to the relevant issue.
Linked Issues check	✅ Passed	The PR implements the chosen Option 5 approach from issue #2348: showing detailed manual verification instructions when gh is unavailable or unauthenticated, meeting the security and usability objectives.
Out of Scope Changes check	✅ Passed	All changes are in-scope: install script enhancements for verification, documentation updates explaining the verification methods, and CI workflow updates to match the new warning format.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@website/static/install-cli.sh`:
- Around line 206-224: The manual verification instructions that call sha256sum
on the asset name "ocm-${OS}-${ARCH}" are brittle and non-portable; update the
warn blocks that build DIGEST and show the manual hash check to (1) detect a
cross-platform hash command (prefer sha256sum, fallback to shasum -a 256) and
use that command name when computing DIGEST, and (2) reference the actual binary
path the user should verify (use ${TMP_BIN}/ocm-${OS}-${ARCH} during the install
window or explicitly instruct verification after install using the installed
binary in PATH) instead of the release asset name; locate the warn strings that
contain "DIGEST=\"sha256:$(sha256sum ocm-${OS}-${ARCH}" and the two subsequent
curl/jq/hash lines and replace them accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3d2b834d-a9f8-43a1-b2ed-5c659d81aa56

📥 Commits

Reviewing files that changed from the base of the PR and between 154671b and d5c6df8.

📒 Files selected for processing (2)

• .github/workflows/website-live-test-install-script.yml
• website/static/install-cli.sh

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@website/content/docs/getting-started/ocm-cli-installation.md`:
- Around line 159-163: Replace the non-portable "base64 -d" in the pipeline that
decodes the DSSE payload (the line piping into base64 -d before jq '.subject[] |
"\(.digest.sha256)  \(.name)"') with a portable decoding approach: use a decode
flag that works on both GNU and BSD/macOS (e.g., --decode or -D) or fall back to
openssl base64 -d when base64 -d is unsupported, so macOS users won't fail the
"Manual SHA-256" flow.
- Around line 140-143: Replace the permissive certificate identity regex
currently passed to --certificate-identity-regexp (the pattern starting with
'^https://github.com/open-component-model/open-component-model/') with a
stricter regex that pins the GitHub Actions workflow path and ref so only
attestations from the specific workflow are accepted; specifically require the
.github/workflows/cli-release.yml identity and restrict refs to heads/main or
tags matching semantic version tags (vMAJOR.MINOR.PATCH), and ensure dots are
escaped and anchors used so the identity matches exactly the expected
workflow@refs value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eb1e65f9-9467-4b0b-b2c3-e6460f9f88c8

📥 Commits

Reviewing files that changed from the base of the PR and between d5c6df8 and 43ed6a5.

📒 Files selected for processing (2)

• website/content/docs/getting-started/ocm-cli-installation.md
• website/static/install-cli.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• website/static/install-cli.sh

[frewilhelm]

Very cool - thanks a lot!