jswank/binst
1
0
Fork 0
Code Pull Requests Releases Activity
Files
checkov
binst/Taskfile.yaml
Jason Swank c8638c3fff checkov
2026-01-22 15:20:52 -05:00

126 lines
3.9 KiB
YAML
Raw Permalink Blame History

# This Taskfile helps generate binst installation scripts for different software
version: '3'
vars:
CONFIG_DIR: ./config
SCRIPT_DIR: ./scripts
tasks:
default:
desc: Create a new installation script for a binary
summary: |
Create a new installation script for a binary by initializing a binst config,
embedding checksums, and generating the installation script. The latest release, as
determined by the latest-release task, will be used unless a specific version is
provided.
Invoke this task like:
task default REPO=trufflesecurity/trufflehog
vars:
BINARY: "{{.REPO | base}}"
VERSION: '{{.VERSION | default "latest"}}'
cmds:
- task: init
vars:
REPO: "{{.REPO}}"
- task: embed-checksums
vars:
BINARY: "{{.BINARY}}"
VERSION: "{{.VERSION }}"
- task: gen
vars:
BINARY: "{{.BINARY}}"
requires:
vars: ["REPO"]
init:
desc: Initialize binst configuration for a GitHub project.
summary: |
Initialize a binst configuration for a GitHub project.
The config file will be saved to {{.CONFIG_DIR}}/{{.OUTPUT_FILE}}.
By default, the output file is named BINARY.binstaller.yml where BINARY is the
repository name (like trufflehog) extracted from the repo input.
Invoke this task like:
task init REPO=trufflesecurity/trufflehog
vars:
BINARY: "{{.REPO | base}}"
OUTPUT_FILE: "{{.BINARY}}.binstaller.yml"
cmd: |
binst init --source=github --repo {{.REPO}} -o {{.CONFIG_DIR}}/{{.OUTPUT_FILE}}
requires:
vars: ["REPO"]
embed-checksums:
desc: Embed checksums into a binst configuration file.
summary: |
Embed checksums into a binst configuration file for a specific version.
If VERSION is not specified, the latest release ("latest") will be used.
Invoke this task like:
task embed-checksums BINARY=trufflehog VERSION=v3.92.4
If --mode download fails, fallbac to --mode calculate
cmd: |
set +o errexit
binst embed-checksums --config {{.CONFIG_DIR}}/{{.BINARY}}.binstaller.yml --version {{.VERSION}} --mode download
if [ $? -ne 0 ]; then
# this is tougher than it should be...
# without this, checksums aren't written to the file at all
printf 'checksums:\n' >> {{.CONFIG_DIR}}/{{.BINARY}}.binstaller.yml
binst embed-checksums \
--config {{.CONFIG_DIR}}/{{.BINARY}}.binstaller.yml \
--version latest \
--mode calculate
# then the formatting is weird, so in-place edit using yq
yq -i {{.CONFIG_DIR}}/{{.BINARY}}.binstaller.yml
fi
vars:
VERSION: "latest"
requires:
vars: ["BINARY"]
gen:
desc: Generate installation script from binst configuration.
summary: |
Generate an installation script from a binst configuration file.
The generated script will be saved to {{.SCRIPT_DIR}}/{{.BINARY}}-install.sh.
Invoke this task like:
task gen BINARY=trufflehog
cmd: |
binst gen --config={{.CONFIG_DIR}}/{{.BINARY}}.binstaller.yml -o {{.SCRIPT_DIR}}/{{.BINARY}}-install.sh
requires:
vars: ["BINARY"]
latest-release:
desc: Determine the latest release available for a given repo.
summary: |
Determine the latest release available for a given GitHub repository.
Invoke this task like:
task latest-release REPO=trufflesecurity/trufflehog
cmd: |
gh release view -R {{.REPO}} --json tagName --jq .tagName
requires:
vars: ["REPO"]
install-*:
desc: Install a binary using its installation script.
summary: |
Install a binary using its installation script located in the scripts directory.
Invoke this task like:
task install-trufflehog
cmd: |
bash {{.SCRIPT_DIR}}/{{.BINARY}}-install.sh
vars:
BINARY: "{{index .MATCH 0}}"
View Git Blame Copy Permalink