Skip to content

feat: v1.4.1 — one-liner installer (opt-in, SHA-pinned)#3

Merged
notabotchef merged 1 commit intomainfrom
release/v1.4.1
Apr 12, 2026
Merged

feat: v1.4.1 — one-liner installer (opt-in, SHA-pinned)#3
notabotchef merged 1 commit intomainfrom
release/v1.4.1

Conversation

@notabotchef
Copy link
Copy Markdown
Owner

@notabotchef notabotchef commented Apr 12, 2026

Summary

Phase 3 of setup-friction-fix: opt-in one-liner installer for users who want a single command. Quick Start (v1.4.0) remains the default and recommended path.

  • install.sh — full arg parser (--dry-run, --yes, --path, --mode=docker|manual, --verbose). 5-second countdown + Y/n confirm when not piped with --yes. NO_COLOR-aware. Idempotent — skips if already installed at the same version.
  • A0 install dir auto-detection — checks 5 candidate paths + introspects running container mounts via docker inspect. BLOCKs ambiguously on multiple matches under --yes.
  • SHA256 verification_download_and_verify_override checks the override file SHA against a pinned value baked into the script per release. SHA mismatch → exit 3, file removed. Pinned SHA published in GitHub Release notes per tag.
  • Two install modes--mode=docker (default: download override, verify SHA, restart compose) and --mode=manual (git clone/pull + docker exec execute.py).
  • Post-install check — runs bridge_doctor --quiet in the container. On failure, falls through to verbose output and links the Troubleshooting README section.
  • .github/workflows/release.yml — on v* tag, computes install.sh SHA256 and attaches it to the GitHub Release notes. Publishes install.sh + docker-compose.override.yml as release assets.
  • README "Install via script" section — placed after Quick Start, before Manual Install. Explicit security warning. Two equivalent forms: pipe direct vs download/inspect/run.

Polish (over autopilot phase commit)

  • --help now uses awk to skip the shebang and stop at the first non-comment line. macOS-compatible (no GNU sed \? extension).
  • Compose restart uses explicit (cd <dir> && docker compose up -d) when a docker-compose.yml is found, instead of an || fallback chain that ate stderr from the first attempt.

Why

Some users want curl-pipe-bash. Some users (correctly) refuse to. This PR ships the convenience without forcing it: Quick Start is documented first, the script is opt-in with explicit security warnings, and SHA pinning gives auditors a verifiable handshake.

Test plan

  • bash -n install.sh — clean
  • shellcheck install.sh — 0 errors
  • bash install.sh --dry-run --yes — exit 0, no filesystem changes
  • bash install.sh --path=/tmp/doesnotexist — exit 2, clear error
  • bash install.sh --help — prints clean help (no shebang, no leading # )
  • python -m pytest tests/test_probe_novnc.py — 7/7 pass (no regression)
  • Deferred to user: real install on a fresh A0 instance — first v1.4.1 tag triggers release.yml and pins the SHA into the release notes

Files

  • install.sh — 443 lines, opt-in installer
  • .github/workflows/release.yml — SHA-pinned release notes
  • README.md — "Install via script" section
  • plugin.yaml — version 1.4.1

Phase 3 of 3 in .rune/plan-setup-friction-fix.md. Depends on #1 (v1.3.0) and #2 (v1.4.0).

@claude
feat(autopilot): phase 3/3 — one-liner installer (v1.4.1)
12775a4 
Opt-in installer script with security-first design:
- install.sh: full arg parser (--dry-run, --yes, --path, --mode, --verbose),
  security warning + script SHA256 display, 5-second countdown for piped-from-
  curl safety, A0 dir auto-detection (filesystem + docker inspect candidates),
  ambiguous detection exits 2 under --yes, docker mode (SHA-verified override
  download) + manual mode (git clone/pull + execute.py), idempotent re-run
  check, post-install bridge_doctor verification, shellcheck clean (0 errors)
- .github/workflows/release.yml: on v* tag, computes install.sh SHA256,
  attaches to GitHub Release notes; publishes install.sh + override.yml as
  release assets for user verification
- README: "Install via script" section added between Quick Start and Manual
  Install with explicit security warning block; both curl forms shown;
  SHA verification instructions; v1.4.1 changelog
- plugin.yaml: version 1.4.1

Verification: bash install.sh --dry-run --yes exits 0 (no filesystem changes);
--path=/tmp/doesnotexist exits 2; shellcheck reports 0 errors

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@notabotchef notabotchef merged commit e25b6b7 into main Apr 12, 2026
@notabotchef notabotchef deleted the release/v1.4.1 branch April 12, 2026 03:22
@notabotchef
Copy link
Copy Markdown
Owner Author

notabotchef commented Apr 12, 2026

SHA verification on the override file is a nice touch. The 5-second countdown for piped-from-curl is good UX — gives people a chance to ctrl-c if they didn't mean to run it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@notabotchef