feat: add curl install path and release artifacts (#54)

* feat: add curl installer and release assets

Provide a curlable install path and wire release outputs so installable artifacts are consistently published on GitHub releases.

* fix: address codex review findings

Avoid unnecessary sudo for user-owned install dirs, fail helper downloads on non-404 errors, and strengthen gateway allowlist fallback assertions so upstream failures cannot pass silently.

Author: lox

.github/workflows/release.yml

@@ -11,26 +11,41 @@ permissions:
 jobs:
   build-darwin-vz:
     runs-on: macos-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: arm64
+            target: arm64-apple-macosx13.0
+          - arch: x86_64
+            target: x86_64-apple-macosx13.0
     steps:
       - uses: actions/checkout@v4
 
       - name: Build cleanroom-darwin-vz
         run: |
           mkdir -p dist
-          xcrun swiftc -O -target arm64-apple-macosx13.0 -framework Virtualization \
+          xcrun swiftc -O -target "${{ matrix.target }}" -framework Virtualization \
             cmd/cleanroom-darwin-vz/main.swift \
             -o dist/cleanroom-darwin-vz
 
       - name: Create archive
         run: |
+          ARCHIVE="cleanroom-darwin-vz_Darwin_${{ matrix.arch }}.tar.gz"
           cp cmd/cleanroom-darwin-vz/entitlements.plist dist/
-          tar -czf "dist/cleanroom-darwin-vz_Darwin_arm64.tar.gz" \
+          tar -czf "dist/${ARCHIVE}" \
             -C dist cleanroom-darwin-vz entitlements.plist
+          (
+            cd dist
+            shasum -a 256 "${ARCHIVE}" > "${ARCHIVE}.sha256"
+          )
 
       - uses: actions/upload-artifact@v4
         with:
-          name: cleanroom-darwin-vz
-          path: dist/cleanroom-darwin-vz_Darwin_arm64.tar.gz
+          name: cleanroom-darwin-vz-${{ matrix.arch }}
+          path: |
+            dist/cleanroom-darwin-vz_Darwin_${{ matrix.arch }}.tar.gz
+            dist/cleanroom-darwin-vz_Darwin_${{ matrix.arch }}.tar.gz.sha256
 
   release:
     runs-on: ubuntu-latest
@@ -53,12 +68,14 @@ jobs:
 
       - uses: actions/download-artifact@v4
         with:
-          name: cleanroom-darwin-vz
+          pattern: cleanroom-darwin-vz-*
+          merge-multiple: true
           path: dist
 
       - name: Upload darwin-vz helper to release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh release upload "${{ github.ref_name }}" \
-            dist/cleanroom-darwin-vz_Darwin_arm64.tar.gz
+            dist/cleanroom-darwin-vz_Darwin_*.tar.gz \
+            dist/cleanroom-darwin-vz_Darwin_*.tar.gz.sha256

.goreleaser.yml

@@ -22,9 +22,20 @@ builds:
       - -s -w
 
 archives:
-  - formats: [tar.gz]
+  - id: cleanroom
+    ids: [cleanroom]
+    formats: [tar.gz]
+    name_template: >-
+      {{ .Binary }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else }}{{ .Arch }}{{ end }}
+
+  - id: cleanroom-guest-agent
+    ids: [cleanroom-guest-agent]
+    formats: [tar.gz]
     name_template: >-
-      {{ .ProjectName }}_
+      {{ .Binary }}_
       {{- title .Os }}_
       {{- if eq .Arch "amd64" }}x86_64
       {{- else }}{{ .Arch }}{{ end }}

.mise.toml

@@ -13,7 +13,7 @@ run = "go test ./..."
 
 [tasks.lint-shell]
 description = "Lint shell scripts"
-run = "shellcheck -x scripts/cleanroom-root-helper.sh scripts/benchmark-tti.sh scripts/build-go.sh scripts/install-go.sh scripts/release.sh"
+run = "shellcheck -x scripts/cleanroom-root-helper.sh scripts/benchmark-tti.sh scripts/build-go.sh scripts/install-go.sh scripts/install.sh scripts/release.sh"
 
 [tasks.test-full]
 description = "Run full Go test suite"

README.md

@@ -71,6 +71,23 @@ func example() error {
 - status enums (`client.SandboxStatus_*`, `client.ExecutionStatus_*`)
 - ergonomic wrappers (`client.NewFromEnv`, `client.EnsureSandbox`, `client.ExecAndWait`)
 
+## Install
+
+Install the latest release:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/buildkite/cleanroom/main/scripts/install.sh | bash
+```
+
+Install a specific version:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/buildkite/cleanroom/main/scripts/install.sh | \
+  bash -s -- --version v0.1.0
+```
+
+By default this installs to `/usr/local/bin`. Override with `--install-dir` or `CLEANROOM_INSTALL_DIR`.
+
 ## Quick Start
 
 Initialize runtime config and check host prerequisites:
@@ -148,7 +165,7 @@ macOS note:
 
 - `darwin-vz` is the default backend on macOS
 - install host tools for rootfs derivation with `brew install e2fsprogs`
-- `cleanroom-darwin-vz` helper must be installed and signed with `com.apple.security.virtualization` entitlement (`mise run install` handles this in this repo)
+- `cleanroom-darwin-vz` helper must be installed and signed with `com.apple.security.virtualization` entitlement (the release install script handles this automatically; `mise run install` also handles it in this repo)
 
 ## CLI
 

scripts/ci-cleanroom-e2e.sh

@@ -237,11 +237,21 @@ set +e
       echo "$allow_resp" >&2
       exit 5
     fi
+    if echo "$allow_resp" | grep -q "upstream_error"; then
+      echo "allowlisted host probe hit upstream_error" >&2
+      echo "$allow_resp" >&2
+      exit 5
+    fi
     if echo "$allow_resp" | grep -q "host_not_allowed"; then
       echo "allowlisted host was denied by gateway" >&2
       echo "$allow_resp" >&2
       exit 5
     fi
+    if ! echo "$allow_resp" | grep -q "git-upload-pack"; then
+      echo "allowlisted host probe did not return git upload-pack response" >&2
+      echo "$allow_resp" >&2
+      exit 5
+    fi
 
     set +e
     deny_resp="$(wget -q -S -O - "$deny_url" 2>&1)"