#!/bin/sh
# NuGetKeep installer bootstrap — served at https://nugetkeep.com/install
#
# curl -fsSL https://nugetkeep.com/install | bash
# curl -fsSL https://nugetkeep.com/install | bash -s -- render --target helm --image ...
#
# Downloads the self-contained `nugetkeep-install` binary for this OS/arch from the
# public releases repo, verifies its sha256 against the release's checksums.txt, and
# execs it with your arguments (stdin re-attached to the terminal so the wizard works).
#
# Pin a version: curl -fsSL https://nugetkeep.com/install | NUGETKEEP_INSTALL_VERSION=0.5.0 bash
# Mirror/offline: curl ... | NUGETKEEP_INSTALL_BASE_URL=https://my.mirror/releases bash
# (the base must serve the GitHub releases URL shape:
# /latest/download/ and /download/v/)
#
# POSIX sh — runs under dash, macOS bash 3.2, and zsh-as-sh. All progress goes to
# stderr; stdout belongs to the installer itself.
set -eu
say() { printf '%s\n' "$*" >&2; }
die() { say "error: $*"; exit 1; }
os="$(uname -s)"
arch="$(uname -m)"
case "$os" in
Linux) os=linux ;;
Darwin) os=osx ;;
MINGW*|MSYS*|CYGWIN*)
die "native Windows is not supported yet — run this inside WSL2 (https://learn.microsoft.com/windows/wsl/install). Native Windows support lands later." ;;
*) die "unsupported OS '$os' — supported: Linux and macOS (on Windows, use WSL2)." ;;
esac
case "$arch" in
x86_64|amd64) arch=x64 ;;
arm64|aarch64) arch=arm64 ;;
*) die "unsupported architecture '$arch' — supported: x86_64/amd64 and arm64/aarch64." ;;
esac
# musl-based distros (Alpine): the glibc binaries below won't run — use the Docker image.
asset="nugetkeep-install-$os-$arch.tar.gz"
base="${NUGETKEEP_INSTALL_BASE_URL:-https://github.com/atypical-consulting/nugetkeep-releases/releases}"
if [ -n "${NUGETKEEP_INSTALL_VERSION:-}" ]; then
path="download/v$NUGETKEEP_INSTALL_VERSION"
else
path="latest/download"
fi
# The binary execs FROM this directory, so there is no cleanup trap (the shell is
# replaced by exec; the OS tmp reaper collects it).
tmp="$(mktemp -d)"
fetch() { # fetch
if command -v curl >/dev/null 2>&1; then
curl -fsSL -o "$2" "$1"
elif command -v wget >/dev/null 2>&1; then
wget -qO "$2" "$1"
else
die "need curl or wget to download $1"
fi
}
say "==> downloading $asset"
fetch "$base/$path/$asset" "$tmp/$asset" || die "download failed: $base/$path/$asset"
say "==> downloading checksums.txt"
fetch "$base/$path/checksums.txt" "$tmp/checksums.txt" || die "download failed: $base/$path/checksums.txt"
say "==> verifying sha256"
# Keep only our asset's line, then plain `-c`: behaves identically under GNU sha256sum
# and macOS shasum (no --ignore-missing, which older shasum builds lack), and a
# checksums.txt without our asset fails loudly instead of verifying nothing.
grep " $asset\$" "$tmp/checksums.txt" > "$tmp/expected.sum" \
|| die "checksums.txt has no entry for $asset"
if command -v sha256sum >/dev/null 2>&1; then
(cd "$tmp" && sha256sum -c expected.sum >&2) \
|| die "checksum verification FAILED for $asset — refusing to run it."
elif command -v shasum >/dev/null 2>&1; then
(cd "$tmp" && shasum -a 256 -c expected.sum >&2) \
|| die "checksum verification FAILED for $asset — refusing to run it."
else
die "need sha256sum or shasum to verify the download"
fi
say "==> extracting"
tar -xzf "$tmp/$asset" -C "$tmp"
chmod +x "$tmp/nugetkeep-install"
say "==> launching: nugetkeep-install $*"
# Under `curl | bash` stdin is the pipe — re-attach the terminal so the wizard can
# prompt. With piped/redirected stdout (CI), keep plain stdin; the binary itself
# enforces the tty-or---yes contract.
if [ -t 1 ] && [ -e /dev/tty ]; then
exec "$tmp/nugetkeep-install" "$@" < /dev/tty
else
exec "$tmp/nugetkeep-install" "$@"
fi