ghalint is written in Go. So you only have to install a binary in your PATH.
There are some ways to install ghalint.
You can install ghalint using Homebrew.
brew install suzuki-shunsuke/ghalint/ghalintYou can install ghalint using Scoop.
scoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
scoop install ghalintYou can install ghalint using aqua.
aqua g -i suzuki-shunsuke/ghalintgo install github.com/suzuki-shunsuke/ghalint/cmd/ghalint@latestYou can download an asset from GitHub Releases.
Please unarchive it and install a pre built binary into $PATH.
You can verify downloaded assets using some tools.
You can install GitHub CLI by aqua.
aqua g -i cli/cliversion=v1.2.0
asset=ghalint_darwin_arm64.tar.gz
gh release download -R suzuki-shunsuke/ghalint "$version" -p "$asset"
gh attestation verify "$asset" \
-R suzuki-shunsuke/ghalint \
--signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yamlYou can install slsa-verifier by aqua.
aqua g -i slsa-framework/slsa-verifierversion=v1.2.0
asset=ghalint_darwin_arm64.tar.gz
gh release download -R suzuki-shunsuke/ghalint "$version" -p "$asset" -p multiple.intoto.jsonl
slsa-verifier verify-artifact "$asset" \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/suzuki-shunsuke/ghalint \
--source-tag "$version"You can install Cosign by aqua.
aqua g -i sigstore/cosignversion=v1.2.0
checksum_file="ghalint_${version#v}_checksums.txt"
asset=ghalint_darwin_arm64.tar.gz
gh release download "$version" \
-R suzuki-shunsuke/ghalint \
-p "$asset" \
-p "$checksum_file" \
-p "${checksum_file}.pem" \
-p "${checksum_file}.sig"
cosign verify-blob \
--signature "${checksum_file}.sig" \
--certificate "${checksum_file}.pem" \
--certificate-identity-regexp 'https://github\.com/suzuki-shunsuke/go-release-workflow/\.github/workflows/release\.yaml@.*' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
"$checksum_file"
cat "$checksum_file" | sha256sum -c --ignore-missing