From 35cfe48d83207a91291df920ed69031f084e0bd3 Mon Sep 17 00:00:00 2001 From: Misty De Meo Date: Sat, 6 Sep 2025 12:25:29 -0700 Subject: [PATCH 1/3] docs: extra environment variables --- book/src/installers/usage.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/book/src/installers/usage.md b/book/src/installers/usage.md index f663d53fd..9a9c42a89 100644 --- a/book/src/installers/usage.md +++ b/book/src/installers/usage.md @@ -115,9 +115,10 @@ requested API structure expectations to match either: - Public artifact URLs: https://{CUSTOM}/owner/repo/releases/download/version/artifact-name - Releases API: https://{CUSTOM}/api/v3/repos/owner/repo/releases/latest ([docs](https://docs.github.com/en/enterprise-server@3.14/rest/releases/releases?apiVersion=2022-11-28)) +Users can also override the entire URL for the artifact by specifying `${app name}_DOWNLOAD_URL` (available since 0.30.0). + `dist` is eager to support enterprise level features like this- so if you have questions -or related feature requests, please join our [Discord](https://discord.gg/MnyjrpTceV) or send -us an email at hello@axo.dev. +or related feature requests, please join our [Discord](https://discord.gg/MnyjrpTceV). ## GitHub bearer token @@ -127,6 +128,17 @@ By default, the installer fetches archives without using any form of authenticat - `${app name}_GITHUB_TOKEN` +## Verbosity + +> since 0.30.0 + +Users can customize the verbosity of the shell installer by specifying one of two environment variables: + +- `${app name}_PRINT_QUIET` (also available as `--quiet` on the commandline) +- `${app name}_PRINT_VERBOSE` (also available as `--verbose` on the commandline) + +`${app name}_PRINT_QUIET` will suppress warnings and error messages, while `${app name}_PRINT_VERBOSE` will print some extra debugging messages. + ## Receipt > since 0.9.0 From 4bebedfecda983efe5451998782bb6096f306549 Mon Sep 17 00:00:00 2001 From: Misty De Meo Date: Sat, 6 Sep 2025 12:35:50 -0700 Subject: [PATCH 2/3] docs: attestation docs tweaks --- book/src/reference/config.md | 6 +++++- book/src/supplychain-security/attestations/github.md | 5 +---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/book/src/reference/config.md b/book/src/reference/config.md index 2ae1a0bbd..7690e38b1 100644 --- a/book/src/reference/config.md +++ b/book/src/reference/config.md @@ -1086,6 +1086,8 @@ If you're using GitHub Releases, this will enable GitHub's experimental artifact > github-attestations-phase = "host" > ``` +Most users won't need to use this feature. If you've enabled `github-attestations`, attestations are ordinarily performed while local builds are running. Users making use of the [`build-local-artifacts = false`](#build-local-artifacts) setting to perform their own builds won't be able to make use of attestations in that phase, so these users will need to move attestations to another phase. + Possible values: * `host`: Create the GitHub Attestations during the `host` phase. @@ -1105,7 +1107,9 @@ Possible values: > github-attestations-filters = ["*.json", "*.sh", "*.ps1", "*.zip", "*.tar.gz"] > ``` -Allows filtering GitHub Attestations in the `host` phase. All patterns are globed against the pattern `artifacts/{filter}`. +Allows configuring which artifacts to perform GitHub Attestations for in the `host` phase. All patterns are globed against the pattern `artifacts/{filter}`. + +This doesn't currently support attestations performed in the `build-local-artifacts` phase, but support for this may be added in the future. #### `github-release` diff --git a/book/src/supplychain-security/attestations/github.md b/book/src/supplychain-security/attestations/github.md index e930dce70..12d269a7d 100644 --- a/book/src/supplychain-security/attestations/github.md +++ b/book/src/supplychain-security/attestations/github.md @@ -8,10 +8,7 @@ Note that GitHub's Artifact Attestations only supports public repositories and p Currently, verification of GitHub Artifact Attestations is only supported via GitHub CLI with [`gh attestation verify`]. -Additionally, you can control which phase attestations occur using the [`github-attestations-phase` setting](../../reference/config.md#github-attestations-phase). - -By default, attestations occur during the `build-local-artifacts` phase. This can be alternatively be changed to the `host` phase, which is particularly -useful when `build-local-artifacts` is set to `false`. +The phase in which attestations occur can be configured using the [`github-attestations-phase` setting](../../reference/config.md#github-attestations-phase). By default, attestations occur during the `build-local-artifacts` phase. This can be be changed to the `host` phase, which is particularly useful when `build-local-artifacts` is set to `false`. When performing attestations in the `host` phase, you can control what gets attested by using the [`github-attestations-filters` setting](../../reference/config.md#github-attestations-filters). From abb679eb9d68184bbc1a009e85a557708baab8e0 Mon Sep 17 00:00:00 2001 From: Misty De Meo Date: Sun, 7 Sep 2025 12:56:18 -0700 Subject: [PATCH 3/3] docs: proxy variables --- book/src/installers/usage.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/book/src/installers/usage.md b/book/src/installers/usage.md index 9a9c42a89..8b6bc8759 100644 --- a/book/src/installers/usage.md +++ b/book/src/installers/usage.md @@ -128,6 +128,12 @@ By default, the installer fetches archives without using any form of authenticat - `${app name}_GITHUB_TOKEN` +## Proxy + +> since 0.1.0 (shell), 0.30.0 (powershell) + +Users who need to fetch artifacts via a proxy can set the `HTTPS_PROXY` or `ALL_PROXY` environment variables. This is compatible with the syntax used by cURL; for more information, see [cURL's documentation](https://everything.curl.dev/usingcurl/proxies/env.html). + ## Verbosity > since 0.30.0