Feature Request: Remove version from binary filenames

[modem7]

Heya,

The thinking behind this request is to be able to more easily script/download the latest version of the binaries.

Instead of having to write grep/jq/findstr/convertfrom-json strings or creating env vars, we'd be able to do something akin to sudo curl -fL https://github.com/bdd/runitor/releases/latest/download/runitor-linux-amd64 -o /usr/local/bin/runitor (and similar in Windows with Invoke-WebRequest) allowing for easier updates/initial downloads/Ansible.

[bdd]

I understand the desire to make the latest artifact fetching less involved but I'd like to stick with artifact names including version information along with os+arch. The reasons are consistency with common practice, and metadata commitment to signed artifact manifests (SHA256 and SHA256.sig).

Don't mean to drop unsolicited operational security advice but I'd highly recommend adding signature¹ checking to your artifact fetching automation. Something that'll require a bit scripting on its own, as mentioned in the README.

On the off chance you already have Go in your "build environment", you can use go install bdd.fi/x/runitor/cmd/runitor@latest, to fetch the latest tag, and build locally. Certainly not as small or as ubiquitous tool like curl, and AFAIK cannot verify signed Git tags either.

Footnotes

1. Runitor release binaries are signed manually by me, offline, after ensuring reproducible build to GH Action built ones from the release tag. The keys listed at https://bdd.fi/x/runitor.pub were all generated on hardware tokens in such a way private keys cannot be exported. The distribution endpoint, hosted on Fly, has discrete credentials to my GH account. Same goes for the domain registrar (Gandi), and the DNS provider (Google). ↩