Add the install.sh script and upload it to S3

[adamwg]

Description of your changes

Copy the install.sh script over from c/c, since its source of truth should probably be this repository. Update CI to push the script to our S3 bucket, so that if we update it in the future it automatically ends up there. Note that we upload install.sh from the promote-artifacts job only from the main branch.

Related docs change: crossplane/docs#1099

I have:

• Read and followed Crossplane's contribution process.
• Run ./nix.sh flake check to ensure this PR is ready for review.
  - [ ] Added or updated unit tests.
• Linked a PR or a docs tracking issue to document this change.
  - [ ] Added backport release-x.y labels to auto-backport this PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces install.sh, a shell script for automated installation of the Crossplane CLI. The script handles platform detection, validates supported OS/architecture combinations, downloads the appropriate binary or tarball from version-specific URLs, performs necessary extraction and renaming, and provides post-install guidance.

Changes

Crossplane CLI Installation Script

Layer / File(s)	Summary
Installation download and setup flow install.sh	Complete installation script with OS/architecture detection, supported platform validation, version-specific URL construction (including legacy version handling), curl-based download with error handling, optional tarball extraction, binary renaming, permission setup, and user-facing post-install instructions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: adding and uploading the install.sh script to S3, and stays well under the 72-character limit.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Breaking Changes	✅ Passed	PR only adds install.sh and modifies nix/apps.nix; zero modifications/deletions to apis/ or cmd/ files, so no breaking changes to public fields/flags occur.
Feature Gate Requirement	✅ Passed	PR adds install.sh (binary download script) and CI updates; does not introduce experimental features affecting apis/** or requiring feature flags.
Description check	✅ Passed	The pull request description clearly explains the changes: copying install.sh from crossplane/crossplane to this repository and updating CI to push it to S3.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

install.sh (1)

100-103: ⚡ Quick win

Consider adding a timeout to the curl command for better reliability.

While the current flags are appropriate, adding --max-time 300 (or a suitable timeout) would prevent the script from hanging indefinitely on slow or stalled network connections, improving the user experience.

⏱️ Proposed enhancement with timeout

-if ! curl -sfL "${url}" -o "${url_file}"; then
+if ! curl -sfL --max-time 300 "${url}" -o "${url_file}"; then
 	echo "Failed to download Crossplane CLI. Please make sure ${url_error}version ${XP_VERSION} exists on channel ${XP_CHANNEL}."
 	exit 1
 fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install.sh` around lines 100 - 103, Add a maximum-time to the curl invocation
to avoid hangs: modify the curl command that downloads "${url}" into
"${url_file}" (the block referencing variables url, url_file, url_error,
XP_VERSION, XP_CHANNEL) to include a suitable timeout flag such as --max-time
300 (or another chosen seconds value) so the download fails fast and the
existing error message/exit path is exercised when the timeout is reached.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@install.sh`:
- Around line 105-111: The script currently unconditionally runs rm
"${BIN}.sha256" after extracting ${url_file}, which will cause the script to
fail under set -e if the checksum file is absent; either make the removal safe
by using rm -f "${BIN}.sha256" (quick fix) or, preferably, validate the checksum
before deleting by checking for the presence of "${BIN}.sha256", verifying it
with sha256sum -c (or similar) against the extracted binary, fail on mismatch,
and only then remove the checksum file; update the block that handles extraction
of ${url_file} and the subsequent rm to implement one of these two approaches.

---

Nitpick comments:
In `@install.sh`:
- Around line 100-103: Add a maximum-time to the curl invocation to avoid hangs:
modify the curl command that downloads "${url}" into "${url_file}" (the block
referencing variables url, url_file, url_error, XP_VERSION, XP_CHANNEL) to
include a suitable timeout flag such as --max-time 300 (or another chosen
seconds value) so the download fails fast and the existing error message/exit
path is exercised when the timeout is reached.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ea08c642-f644-44d2-8d4e-bcebaf9d9282

📥 Commits

Reviewing files that changed from the base of the PR and between d41550c and 7586161.

⛔ Files ignored due to path filters (1)

• nix/apps.nix is excluded by none and included by none

📒 Files selected for processing (1)

• install.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix potential failure when .sha256 file is missing from tarball.

Line 110 unconditionally removes ${BIN}.sha256, but with set -e in effect, the script will exit if this file doesn't exist in the extracted tarball. This could break installations if the tarball structure changes.

Additionally, while the script removes the checksum file, it never validates it—a missed security opportunity. Would you like to either:

1. Add checksum validation before removal, or
2. Use rm -f to ignore missing files?

🛡️ Proposed fix options

Option 1: Make rm fail-safe (quick fix)

-	rm "${BIN}.sha256" "${url_file}"
+	rm -f "${BIN}.sha256" "${url_file}"

Option 2: Validate checksum before removal (more secure)

+	if [ -f "${BIN}.sha256" ]; then
+		if ! sha256sum -c "${BIN}.sha256"; then
+			echo "Checksum validation failed for Crossplane CLI."
+			exit 1
+		fi
+	fi
 	rm -f "${BIN}.sha256" "${url_file}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ "${_compr}" = "true" ]; then
	if ! tar xzf "${url_file}"; then
	echo "Failed to unpack the Crossplane CLI compressed file."
	exit 1
	fi
	rm "${BIN}.sha256" "${url_file}"
	fi
	if [ "${_compr}" = "true" ]; then
	if ! tar xzf "${url_file}"; then
	echo "Failed to unpack the Crossplane CLI compressed file."
	exit 1
	fi
	rm -f "${BIN}.sha256" "${url_file}"
	fi

Suggested change

	if [ "${_compr}" = "true" ]; then
	if ! tar xzf "${url_file}"; then
	echo "Failed to unpack the Crossplane CLI compressed file."
	exit 1
	fi
	rm "${BIN}.sha256" "${url_file}"
	fi
	if [ "${_compr}" = "true" ]; then
	if ! tar xzf "${url_file}"; then
	echo "Failed to unpack the Crossplane CLI compressed file."
	exit 1
	fi
	if [ -f "${BIN}.sha256" ]; then
	if ! sha256sum -c "${BIN}.sha256"; then
	echo "Checksum validation failed for Crossplane CLI."
	exit 1
	fi
	fi
	rm -f "${BIN}.sha256" "${url_file}"
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install.sh` around lines 105 - 111, The script currently unconditionally runs
rm "${BIN}.sha256" after extracting ${url_file}, which will cause the script to
fail under set -e if the checksum file is absent; either make the removal safe
by using rm -f "${BIN}.sha256" (quick fix) or, preferably, validate the checksum
before deleting by checking for the presence of "${BIN}.sha256", verifying it
with sha256sum -c (or similar) against the extracted binary, fail on mismatch,
and only then remove the checksum file; update the block that handles extraction
of ${url_file} and the subsequent rm to implement one of these two approaches.

[tampakrap]

I believe we should leave it as it is. If the checksum file is missing from the tarball, then we have a bigger problem to solve. Also, I'd like to introduce the validation functionality in a separate PR

[coderabbitai]

@tampakrap, that's a fair point — failing loudly when .sha256 is absent is actually the safer behavior, since it signals a malformed release artifact rather than silently continuing. Happy to defer the full validation to a separate PR.

Would you like me to open a GitHub issue to track the checksum validation work so it doesn't get lost?

[tampakrap]

are we changing the docs or not yet?

[adamwg]

are we changing the docs or not yet?

I have an update ready for PR. Was going to wait until this one is merged, but I did already manually upload install.sh to the CLI releases bucket, so I suppose there's no reason to wait.

[adamwg]

@tampakrap Docs update in crossplane/docs#1099 :-).

[tampakrap]

thanks, please add the docs link in the PR description as well