Skip to main content

Install

github-comment is written in Go. So you only have to install a binary in your PATH.

There are some ways to install github-comment.

  1. Homebrew
  2. Scoop
  3. aqua
  4. GitHub Releases
  5. Build an executable binary from source code yourself using Go

Homebrew

You can install github-comment using Homebrew.

brew install suzuki-shunsuke/github-comment/github-comment

Scoop

You can install github-comment using Scoop.

scoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
scoop install github-comment

aqua

You can install github-comment using aqua.

aqua g -i suzuki-shunsuke/github-comment

Build an executable binary from source code yourself using Go

go install github.com/suzuki-shunsuke/github-comment/v6/cmd/github-comment@latest

GitHub Releases

You can download an asset from GitHub Releases. Please unarchive it and install a pre built binary into $PATH.

Verify downloaded assets from GitHub Releases

You can verify downloaded assets using some tools.

  1. GitHub CLI
  2. slsa-verifier
  3. Cosign

1. GitHub CLI

You can install GitHub CLI by aqua.

aqua g -i cli/cli
version=v6.3.2
asset=github-comment_${version#v}_darwin_arm64.tar.gz
gh release download -R suzuki-shunsuke/github-comment "$version" -p "$asset"
gh attestation verify "$asset" \
-R suzuki-shunsuke/github-comment \
--signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml

2. slsa-verifier

You can install slsa-verifier by aqua.

aqua g -i slsa-framework/slsa-verifier
version=v6.3.2
asset=github-comment_${version#v}_darwin_arm64.tar.gz
gh release download -R suzuki-shunsuke/github-comment "$version" -p "$asset" -p multiple.intoto.jsonl
slsa-verifier verify-artifact "$asset" \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/suzuki-shunsuke/github-comment \
--source-tag "$version"

3. Cosign

You can install Cosign by aqua.

aqua g -i sigstore/cosign
version=v6.3.2
checksum_file="github-comment_${version#v}_checksums.txt"
asset=github-comment_${version#v}_darwin_arm64.tar.gz
gh release download "$version" \
-R suzuki-shunsuke/github-comment \
-p "$asset" \
-p "$checksum_file" \
-p "${checksum_file}.pem" \
-p "${checksum_file}.sig"
cosign verify-blob \
--signature "${checksum_file}.sig" \
--certificate "${checksum_file}.pem" \
--certificate-identity-regexp 'https://github\.com/suzuki-shunsuke/go-release-workflow/\.github/workflows/release\.yaml@.*' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
"$checksum_file"
cat "$checksum_file" | sha256sum --ignore-missing -c -