pairspaces · declanjryan · Oct 30, 2025 · Oct 29, 2025
diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml
@@ -16,7 +16,108 @@ permissions:
   contents: read
 
 jobs:
-  pull_install:
+  pull_install_nix:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Homebrew (Ubuntu)
+        if: matrix.os == 'ubuntu-latest'
+        shell: bash
+        run: |
+          set -euxo pipefail
+          sudo apt-get update
+          sudo apt-get install -y curl build-essential procps file git
+          NONINTERACTIVE=1 bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+          BREW_BIN="/home/linuxbrew/.linuxbrew/bin/brew"
+          "$BREW_BIN" --version
+          # Put brew on PATH for subsequent steps
+          echo "$(/home/linuxbrew/.linuxbrew/bin/brew --prefix)/bin" >> "$GITHUB_PATH"
+          echo "HOMEBREW_PREFIX=$(/home/linuxbrew/.linuxbrew/bin/brew --prefix)" >> "$GITHUB_ENV"
+
+      - name: Locate & export Homebrew (macOS)
+        if: matrix.os == 'macos-latest'
+        shell: bash
+        run: |
+          set -euxo pipefail
+          # Prefer Apple Silicon path, then Intel, then fallback
+          if [ -x /opt/homebrew/bin/brew ]; then BREW=/opt/homebrew/bin/brew;
+          elif [ -x /usr/local/bin/brew ]; then BREW=/usr/local/bin/brew;
+          else BREW="$(command -v brew)"; fi
+          "$BREW" --version
+          echo "$("$BREW" --prefix)/bin" >> "$GITHUB_PATH"
+          echo "HOMEBREW_PREFIX=$("$BREW" --prefix)" >> "$GITHUB_ENV"
+
+      - name: Install bats
+        run: |
+          set -euxo pipefail
+          brew update
+          brew install bats-core
+          bats --version
+          brew tap bats-core/bats-core
+          brew install bats-support bats-assert bats-file
+          # Show installed addon paths for debug
+          brew --prefix bats-support
+          brew --prefix bats-assert
+          brew --prefix bats-file
+
+      - name: Run bats tests
+        env:
+          ProgressPreference: SilentlyContinue
+        run: |
+          set -euxo pipefail
+          bats tests/install.bats
+
+  pull_install_verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Homebrew (Ubuntu)
+        shell: bash
+        run: |
+          set -euxo pipefail
+          sudo apt-get update
+          sudo apt-get install -y curl build-essential procps file git
+          NONINTERACTIVE=1 bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+          BREW_BIN="/home/linuxbrew/.linuxbrew/bin/brew"
+          "$BREW_BIN" --version
+          # Put brew on PATH for subsequent steps
+          echo "$(/home/linuxbrew/.linuxbrew/bin/brew --prefix)/bin" >> "$GITHUB_PATH"
+          echo "HOMEBREW_PREFIX=$(/home/linuxbrew/.linuxbrew/bin/brew --prefix)" >> "$GITHUB_ENV"
+
+      - name: Install cosign
+        run: |
+          set -euxo pipefail
+          brew update
+          brew install cosign
+          cosign version || true
+
+      - name: Verify binary
+        env:
+          VERIFY_BINARY: "true"
+        run: |
+          set -euxo pipefail
+          BIN_DIR="$(mktemp -d)/bin"
+          mkdir -p "$BIN_DIR"
+          echo "Cosign version:"
+          cosign version || true
+          echo "Running installer with VERIFY_BINARY=true"
+          bash -x ./install.sh -d "$BIN_DIR" | tee install.log
+          echo "---- Installer log ----"
+          cat install.log
+          echo "------------------------"
+          test -x "$BIN_DIR/pair"
+          ls -l "$BIN_DIR/pair"
+
+  pull_install_windows:
     runs-on: windows-latest
     defaults:
       run:

diff --git a/install.sh b/install.sh
@@ -10,7 +10,7 @@ NAME="pair"
 ENV="latest"
 BASE_URL="https://downloads.pairspaces.com/$ENV"
 INSTALL_DIR="/usr/local/bin"
-VERIFY_CHECKSUM="${VERIFY_CHECKSUM:-false}"
+VERIFY_BINARY="${VERIFY_BINARY:-false}"
 
 # =============================================================================
 # UI Helpers
@@ -91,7 +91,7 @@ process_args() {
         -)
           case "$OPTARG" in
             uninstall) UNINSTALL=true ;;
-            verify) VERIFY_CHECKSUM=true ;;
+            verify) VERIFY_BINARY=true ;;
             *) abort "Unknown long option --$OPTARG" ;;
           esac
           ;;
@@ -134,7 +134,7 @@ download_and_install() {
   text_title "Downloading PairSpaces CLI"
   curl -LO --proto '=https' --tlsv1.2 -sSf "$DOWNLOAD_URL"
 
-  verify_checksum
+  verify_binary
 
   text_title "Installing PairSpaces CLI" "$INSTALL_DIR/$NAME"
   chmod +x "$FILENAME"
@@ -179,21 +179,20 @@ remove_installed_binary() {
 }
 
 # =============================================================================
-# Verify checksum (Linux only)
+# Verify binary (Linux only)
 # =============================================================================
 
-verify_checksum() {
-  if [ "$VERIFY_CHECKSUM" != "true" ] || [ "$OS" != "linux" ]; then
+verify_binary() {
+  if [ "$VERIFY_BINARY" != "true" ] || [ "$OS" != "linux" ]; then
     return 0
   fi
 
-  text_title "Verifying Checksum"
+  text_title "Verifying Binary"
 
-  local checksum_base="${BASE_URL}/pair_${VERSION}_checksums"
+  local binary_base="${BASE_URL}/linux/${ARCH}/pair_${VERSION}"
 
-  curl -sSfO "${checksum_base}.txt"      || abort "Failed to download checksum file"
-  curl -sSfO "${checksum_base}.txt.pem"  || abort "Failed to download PEM certificate"
-  curl -sSfO "${checksum_base}.txt.sig"  || abort "Failed to download signature"
+  curl -sSfO "${binary_base}.pem"  || abort "Failed to download PEM certificate"
+  curl -sSfO "${binary_base}.sig"  || abort "Failed to download signature"
 
   if ! command -v cosign &>/dev/null; then
     text_title "Installing cosign"
@@ -203,20 +202,11 @@ verify_checksum() {
   fi
 
   cosign verify-blob \
-    --certificate "pair_${VERSION}_checksums.txt.pem" \
-    --signature "pair_${VERSION}_checksums.txt.sig" \
-    --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-    --certificate-identity-regexp=".*" \
-    "pair_${VERSION}_checksums.txt" || abort "Checksum file signature invalid"
-
-  local actual
-  actual=$(sha256sum "$FILENAME" | awk '{print $1}')
-  local expected
-  expected=$(grep "linux/$ARCH/$FILENAME" "pair_${VERSION}_checksums.txt" | awk '{print $1}')
-
-  if [ "$actual" != "$expected" ]; then
-    abort "Checksum mismatch: expected $expected, got $actual"
-  fi
+  --certificate "pair_${VERSION}.pem" \
+  --signature "pair_${VERSION}.sig" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  --certificate-identity-regexp=".*" \
+  "pair_${VERSION}"
 
   echo "The PairSpaces CLI was verified successfully using cosign."
 }