chore(install): Modify install.sh to support new GitHub release artifacts

[javirln]

This patch updates the install.sh script to support both legacy and modern GitHub release formats for the Chainloop CLI.

In newer releases (starting from version v1.0.0-rc.3), the CLI is distributed as a plain binary without a version in the filename and without a .tar.gz archive. The script now detects whether a given release is legacy or modern and downloads the appropriate artifact accordingly—either the .tar.gz archive for older versions or the standalone binary for newer ones.

For modern releases, the latest version can be downloaded using the following URL:

https://github.com/chainloop-dev/chainloop/releases/latest/download/chainloop-OS-ARCH

Please note that legacy and modern GitHub releases referrers to the way Chainloop pushes artifacts to GitHub's releases.

Examples:

Regular installation (legacy)

$ /usr/bin/env bash docs/static/install.sh                   
Step 1: Downloading: chainloop-cli-1.0.0-rc.3-darwin-arm64.tar.gz
Done...

Step 1.2: Verifying checksum
chainloop-cli-1.0.0-rc.3-darwin-arm64.tar.gz: OK
Checksum OK

Step 1.3: Verifying signature
Verified OK
Step 2: Decompressing: /var/folders/ct/h8h0pjcd6q180cnxqhykjv3c0000gn/T/tmp.1yk9hixiAU/chainloop-cli-1.0.0-rc.3-darwin-arm64.tar.gz
Done...

Step 3: Installing: chainloop in path /usr/local/bin
Password:
Step 4: Cleanup
Done...

Client Version: 1.0.0-rc.3
Server Version: 1.0.0-rc.3
Check here for the next steps: https://docs.chainloop.dev

Run 'chainloop auth login' to get started

New installations (being force by modifying the code since there are not new releases yet):

$ /usr/bin/env bash docs/static/install.sh
Step 1: Downloading: chainloop-darwin-arm64, Version: 1.0.0-rc.3
Done...

Step 1.2: Verifying checksum
chainloop-darwin-arm64: OK
Checksum OK

Step 1.3: Verifying signature
Verified OK
Step 2: Installing: chainloop to /usr/local/bin
Step 3: Cleanup
Done...

Client Version: 1.0.0-rc.3
Server Version: 1.0.0-rc.3
Check here for the next steps: https://docs.chainloop.dev

Run 'chainloop auth login' to get started

Forcing a specific version of the CLI:

Legacy

$ /usr/bin/env bash docs/static/install.sh --version v1.0.0-rc.3
Step 1: Downloading: chainloop-cli-1.0.0-rc.3-darwin-arm64.tar.gz
Done...

Step 1.2: Verifying checksum
chainloop-cli-1.0.0-rc.3-darwin-arm64.tar.gz: OK
Checksum OK

Step 1.3: Verifying signature
Verified OK
Step 2: Decompressing: /var/folders/ct/h8h0pjcd6q180cnxqhykjv3c0000gn/T/tmp.QXyJjjSWac/chainloop-cli-1.0.0-rc.3-darwin-arm64.tar.gz
Done...

Step 3: Installing: chainloop in path /usr/local/bin
Step 4: Cleanup
Done...

Client Version: 1.0.0-rc.3
Server Version: 1.0.0-rc.3
Check here for the next steps: https://docs.chainloop.dev

Run 'chainloop auth login' to get started

New installations (being force by modifying the code since there are not new releases yet) forcing a version:

$ /usr/bin/env bash docs/static/install.sh --version v1.0.0-rc.3
Step 1: Downloading: chainloop-darwin-arm64, Version: 1.0.0-rc.3
Done...

Step 1.2: Verifying checksum
chainloop-darwin-arm64: OK
Checksum OK

Step 1.3: Verifying signature
Verified OK
Step 2: Installing: chainloop to /usr/local/bin
Step 3: Cleanup
Done...

Client Version: 1.0.0-rc.3
Server Version: 1.0.0-rc.3
Check here for the next steps: https://docs.chainloop.dev

Run 'chainloop auth login' to get started

[migmartri]

In those examples I can't see testing loading an old version, for example

/usr/bin/env bash docs/static/install.sh --version v0.186.0

Does it work?

[migmartri]

out of curiosity, are we still signing the binaries with a private key? I thought we moved to fulcio?

[javirln]

Yes, we are still signing all the output of goreleaser with a private key, see here:

chainloop/.github/workflows/release.yaml

Line 99 in 2a284f1

COSIGN_KEY: ${{ secrets.COSIGN_KEY }}

I thought we moved to fulcio?

About the fulcio thingy, I cannot comment, I really don't know about it.

[migmartri]

It would be good to create an issue about it

[javirln]

In those examples I can't see testing loading an old version, for example

/usr/bin/env bash docs/static/install.sh --version v0.186.0

Does it work?

Yes sure, here's a few examples:

$ /usr/bin/env bash docs/static/install.sh --version v0.186.0
Step 1: Downloading: chainloop-cli-0.186.0-darwin-arm64.tar.gz
Done...

Step 1.2: Verifying checksum
chainloop-cli-0.186.0-darwin-arm64.tar.gz: OK
Checksum OK

Step 1.3: Verifying signature
Verified OK
Step 2: Decompressing: /var/folders/ct/h8h0pjcd6q180cnxqhykjv3c0000gn/T/tmp.pIQBy3IORv/chainloop-cli-0.186.0-darwin-arm64.tar.gz
Done...

Step 3: Installing: chainloop in path /usr/local/bin
Password:
Step 4: Cleanup
Done...

Client Version: 0.186.0
Server Version: 1.0.0-rc.3
Check here for the next steps: https://docs.chainloop.dev

Run 'chainloop auth login' to get started

And with a way older version:

$ /usr/bin/env bash docs/static/install.sh --version v0.30.0 
Step 1: Downloading: chainloop-cli-0.30.0-darwin-arm64.tar.gz
Done...

Step 1.2: Verifying checksum
chainloop-cli-0.30.0-darwin-arm64.tar.gz: OK
Checksum OK

Step 1.3: Verifying signature
Verified OK
Step 2: Decompressing: /var/folders/ct/h8h0pjcd6q180cnxqhykjv3c0000gn/T/tmp.HbpYRKguo3/chainloop-cli-0.30.0-darwin-arm64.tar.gz
Done...

Step 3: Installing: chainloop in path /usr/local/bin
Step 4: Cleanup
Done...

chainloop version 0.30.0
Check here for the next steps: https://docs.chainloop.dev

Run 'chainloop auth login' to get started