Refactor action to use main Brioche installer script #15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
Oh yeah, I ran a few test workflows against this PR in the |
Contributor
|
Ok it looks good to me. Once this PR is merged, I'll update the test workflow to:
|
jaudiger
approved these changes
Nov 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Up until now,
setup-briocheincluded its own install script, which was an evolution of the old install script. Maintenance-wise, this was a pain, since we had to effectively make installer changes to both theinstall.shscript and to the version of the script in thesetup-briocheaction. And with the way the old installer worked, that also meant that we had to publish a new version of thesetup-briocheaction for each Brioche release!This PR basically scraps the original install script, and now uses the new
brioche-installerscript instead. Unlike the previous version, we just download the installer script itself and run it. To maintain a similar security posture as before, we also verify the installer's signature before running it. See the "Releases" section of thebrioche-installerREADME for details about signature verification (the verification code was basically copy/pasted from that README).Also, to try and bring
setup-briocheandbrioche-installercloser together, I made a few changes to the inputs:install-bin-dirinput, which corresponds to$BRIOCHE_INSTALL_BIN_DIR. When set, we also substitute the value of$HOME(using basic Bash string replacement).install-dirinput has been deprecated in favor ofinstall-bin-dir. To maximize compatibility, it usesenvsubstfor string replacement when set.install-rootinput too, which corresponds to$BRIOCHE_INSTALL_ROOT. When set, we also substitute the value of$HOME(using basic Bash string replacement).action.yml, defaults are left unset. This lets the installer script decide what the default values should be....but there are still some differences compared to just calling the official install script directly:
BRIOCHE_INSTALL_CONTEXTis set togithub-actionsunconditionally. The installer then handles$GITHUB_PATH, and also uses::group::to group the outputBRIOCHE_INSTALL_VERIFY_SIGNATURE. Since the installer script itself gets verified, I didn't see a reason to opt-out of signature verificationBRIOCHE_INSTALL_APPARMOR_CONFIGis set toautoby default. This mirrors our current behavior, and I think is a sensible default for CI pipelines.