Description
This installation method enables users to download and install any version published as a tag, the latest tag, or a branch. It can be a convenient way to install on platforms or CI environments where local scripting tools can vary wildly, but a Go compiler is available due to a previous step in the CI pipeline or by the container image.
It's common for tools to suggest this as the quickest way to install from source, without requiring users to clone a repository.
Example commands:
# install the most recently tagged version
go install oras.land/oras/cmd/oras@latest
# use the tip of a ref, e.g.: main
go install oras.land/oras/cmd/oras@main
# use a specific tag, e.g.: v1.0.0
go install oras.land/oras/cmd/[email protected]The security purist in me doesn't like that this method lacks certain supply chain security characteristics - these binaries cannot be signed - but these instructions are protected by the same mechanism as Go dependencies are via the Go module proxy. When using tagged versions, the tag is checked against sum.golang.org.