bootstrap-tools.sh

#!/usr/bin/env bash
set -euo pipefail

sha_check() {

# usage: sha_check <file> <key>
local file="$1" key="$2"
local ck="scripts/tools.sha256"
if [ -f "$ck" ]; then
  local expect
  expect=$(awk -v k="$key" '$1==k {print $2}' "$ck" | head -n1)
  if [ -n "${expect:-}" ]; then
    if command -v sha256sum >/dev/null 2>&1; then
      echo "${expect}  ${file}" | sha256sum -c -
    else
      local got; got=$(shasum -a 256 "$file" | awk '{print $1}')
      test "$got" = "$expect"
    fi
    echo "Checksum OK for $key"
  else
    if [ "${ENFORCE_CHECKSUMS:-0}" = "1" ]; then
      echo "🚨 SECURITY ERROR: Checksum enforcement active but no entry for $key in scripts/tools.sha256" >&2
      echo "   This indicates a security configuration issue - tool integrity cannot be verified" >&2
      echo "   Action required: Add checksum for $key to scripts/tools.sha256" >&2
      exit 1
    else
      echo "⚠️  WARNING: No checksum entry for $key; skipping verification"
      echo "   Security risk: Tool integrity not verified" >&2
      echo "   Recommendation: Set ENFORCE_CHECKSUMS=1 for production builds" >&2
    fi
  fi
else
  if [ "${ENFORCE_CHECKSUMS:-0}" = "1" ]; then
    echo "🚨 SECURITY ERROR: Checksum enforcement active but scripts/tools.sha256 not present" >&2
    echo "   This indicates a critical security configuration issue" >&2
    echo "   Action required: Create scripts/tools.sha256 with tool checksums" >&2
    exit 1
  else
    echo "⚠️  WARNING: No scripts/tools.sha256 provided; skipping verification"
    echo "   Security risk: All tool integrity verification disabled" >&2
    echo "   Recommendation: Create scripts/tools.sha256 and set ENFORCE_CHECKSUMS=1" >&2
  fi
fi
}

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
BIN="$ROOT/.tools/bin"
mkdir -p "$BIN"

OS="$(uname -s)"; ARCH="$(uname -m)"
case "$OS" in Linux) os="linux" ;; Darwin) os="darwin" ;; *) echo "Unsupported OS: $OS" >&2; exit 1 ;; esac
case "$ARCH" in x86_64|amd64) arch="amd64" ;; arm64|aarch64) arch="arm64" ;; *) echo "Unsupported ARCH: $ARCH" >&2; exit 1 ;; esac

install_oasdiff() {
  # OAS diff CLI (oasdiff)
  # Releases: https://github.com/oasdiff/oasdiff/releases
  # Asset pattern: oasdiff_<version>_<os>_<arch>.tar.gz
  # Note: darwin arm64 uses universal build: oasdiff_<v>_darwin_all.tar.gz
  local v="${OASDIFF_VERSION:-1.11.7}"

  # Map arch for oasdiff assets
  local oas_arch="$arch"
  if [ "$os" = "darwin" ] && [ "$arch" = "arm64" ]; then
    oas_arch="all"  # oasdiff uses universal binary for darwin arm64
  fi

  local tarball="oasdiff_${v}_${os}_${oas_arch}.tar.gz"
  local url="https://github.com/oasdiff/oasdiff/releases/download/v${v}/${tarball}"

  if ! [ -x "$BIN/oasdiff" ]; then
    echo "Installing oasdiff ${v} from ${url}..."
    local tmp; tmp="$(mktemp)"
    curl -sSfL "$url" -o "$tmp"
    sha_check "$tmp" "oasdiff-${v}-${os}-${oas_arch}"
    tar -xzf "$tmp" -C "$BIN" oasdiff
    rm -f "$tmp"
    chmod +x "$BIN/oasdiff"
  fi
}
install_buf() {
  local v="1.45.0"
  local os_cap; os_cap="$(tr '[:lower:]' '[:upper:]' <<< "${os:0:1}")${os:1}"
  local buf_arch; case "$arch" in amd64) buf_arch="x86_64" ;; arm64) buf_arch="arm64" ;; esac
  local bin="buf-${os_cap}-${buf_arch}"
  local url="https://github.com/bufbuild/buf/releases/download/v${v}/${bin}"
  if ! [ -x "$BIN/buf" ]; then
    # Note: We use $arch (amd64) for the checksum key to match tools.sha256, but $buf_arch (x86_64) for the download URL
    curl -sSL "$url" -o "$BIN/buf"; chmod +x "$BIN/buf"; sha_check "$BIN/buf" "buf-${v}-${os}-${arch}"
  fi
}
install_atlas() {
  # Atlas binaries are served from release.ariga.io, not GitHub releases
  # URL format: https://release.ariga.io/atlas/atlas-{os}-{arch}-{version}
  local v="${ATLAS_VERSION:-v0.31.0}"
  local url="https://release.ariga.io/atlas/atlas-${os}-${arch}-${v}"
  if ! [ -x "$BIN/atlas" ]; then
    curl -sSfL "$url" -o "$BIN/atlas"; chmod +x "$BIN/atlas"; sha_check "$BIN/atlas" "atlas-${v}-${os}-${arch}"
  fi
}
install_oasdiff; install_buf; install_atlas
echo "Installed pinned CLIs into .tools/bin for ${os}/${arch}"