From 8a7302c5cf662ddb9bd98bd80df1a6d2f9078622 Mon Sep 17 00:00:00 2001
From: Alex Goodman <wagoodman@users.noreply.github.com>
Date: Wed, 30 Jul 2025 10:54:22 -0400
Subject: [PATCH] migrate to get.anchore.io (#4095)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---
 .github/scripts/update-version-file.sh      | 22 ------------
 .github/workflows/release-version-file.yaml | 40 ---------------------
 .github/workflows/release.yaml              | 16 ++++++---
 Makefile                                    |  2 +-
 README.md                                   |  2 +-
 Taskfile.yaml                               | 12 +------
 install.sh                                  |  9 +++--
 7 files changed, 21 insertions(+), 82 deletions(-)
 delete mode 100755 .github/scripts/update-version-file.sh
 delete mode 100644 .github/workflows/release-version-file.yaml

diff --git a/.github/scripts/update-version-file.sh b/.github/scripts/update-version-file.sh
deleted file mode 100755
index c8a039c59..000000000
--- a/.github/scripts/update-version-file.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-set -ue
-
-BIN="syft"
-VERSION_FILE="VERSION"
-VERSION=$1
-
-# the source of truth as to whether we want to notify users of an update is if the release just created is NOT
-# flagged as a pre-release on github
-if [[ "$(curl -SsL https://api.github.com/repos/anchore/${BIN}/releases/tags/${VERSION} | jq .prerelease)" == "true" ]] ; then
-   echo "skipping publishing a version file (this is a pre-release: ${VERSION})"
-   exit 0
-fi
-
-echo "creating and publishing version file (${VERSION})"
-
-# create a version file for version-update checks
-echo "${VERSION}" | tee "${VERSION_FILE}"
-
-# upload the version file that supports the application version update check
-export AWS_DEFAULT_REGION=us-west-2
-aws s3 cp "${VERSION_FILE}" s3://toolbox-data.anchore.io/${BIN}/releases/latest/VERSION
diff --git a/.github/workflows/release-version-file.yaml b/.github/workflows/release-version-file.yaml
deleted file mode 100644
index 53eb03ad2..000000000
--- a/.github/workflows/release-version-file.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-name: "Release: version file"
-
-on:
-
-  workflow_dispatch:
-    inputs:
-      version:
-        description: release version to update the version file with (prefixed with v)
-        required: true
-
-  workflow_call:
-    inputs:
-      version:
-        type: string
-        description: release version to update the version file with (prefixed with v)
-        required: true
-    secrets:
-      TOOLBOX_AWS_ACCESS_KEY_ID:
-        required: true
-      TOOLBOX_AWS_SECRET_ACCESS_KEY:
-        required: true
-
-jobs:
-
-  release:
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Update version file
-        run: make ci-release-version-file
-        env:
-          RELEASE_VERSION: ${{ github.event.inputs.version }}
-          # for updating the VERSION file in S3...
-          AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 9613eefbe..a3cad61e7 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -177,11 +177,17 @@ jobs:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
         if: ${{ success() }}
 
-  release-version-file:
+  release-install-script:
     needs: [release]
-    uses: ./.github/workflows/release-version-file.yaml
+    if: ${{ needs.release.result == 'success' }}
+    uses: "anchore/workflows/.github/workflows/release-install-script.yaml@main"
     with:
-      version: ${{ github.event.inputs.version }}
+      tag: ${{ github.event.inputs.version }}
     secrets:
-      TOOLBOX_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
-      TOOLBOX_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
+      # needed for r2...
+      R2_INSTALL_ACCESS_KEY_ID: ${{ secrets.OSS_R2_INSTALL_ACCESS_KEY_ID }}
+      R2_INSTALL_SECRET_ACCESS_KEY: ${{ secrets.OSS_R2_INSTALL_SECRET_ACCESS_KEY }}
+      R2_ENDPOINT: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }}
+      # needed for s3...
+      S3_INSTALL_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
+      S3_INSTALL_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
diff --git a/Makefile b/Makefile
index 2f1ae1f8e..a1430e7f5 100644
--- a/Makefile
+++ b/Makefile
@@ -12,7 +12,7 @@ TASK = $(TOOL_DIR)/task
 # note: we need to assume that binny and task have not already been installed
 $(BINNY):
 	@mkdir -p $(TOOL_DIR)
-	@curl -sSfL https://raw.githubusercontent.com/$(OWNER)/binny/main/install.sh | sh -s -- -b $(TOOL_DIR)
+	@curl -sSfL https://get.anchore.io/binny | sh -s -- -b $(TOOL_DIR)
 
 # note: we need to assume that binny and task have not already been installed
 .PHONY: task
diff --git a/README.md b/README.md
index 9572fe9f0..a10bd03f5 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ Syft binaries are provided for Linux, macOS and Windows.
 
 ### Recommended
 > ```bash
-> curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+> curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
 > ```
 
 Install script options:
diff --git a/Taskfile.yaml b/Taskfile.yaml
index b90671cd9..500f1795b 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -91,7 +91,7 @@ tasks:
       - "{{ .TOOL_DIR }}/binny"
     status:
       - "test -f {{ .TOOL_DIR }}/binny"
-    cmd: "curl -sSfL https://raw.githubusercontent.com/anchore/binny/main/install.sh | sh -s -- -b .tool"
+    cmd: "curl -sSfL https://get.anchore.io/binny | sh -s -- -b .tool"
     silent: true
 
   tools:
@@ -604,16 +604,6 @@ tasks:
         silent: true
       - "{{ .RELEASE_CMD }}"
 
-  ci-release-version-file:
-    # desc: "[CI only] Update the version file"
-    deps: [tools]
-    cmds:
-      - task: ci-check
-      - ".github/scripts/update-version-file.sh {{ .RELEASE_VERSION }}"
-    requires:
-      vars:
-        - RELEASE_VERSION
-
 
   ## Cleanup targets #################################
 
diff --git a/install.sh b/install.sh
index 1c2f49f0f..41d0a22a8 100755
--- a/install.sh
+++ b/install.sh
@@ -6,7 +6,8 @@ PROJECT_NAME=syft
 OWNER=anchore
 REPO="${PROJECT_NAME}"
 GITHUB_DOWNLOAD_PREFIX=https://github.com/${OWNER}/${REPO}/releases/download
-INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${PROJECT_NAME}
+INSTALL_SH_BASE_URL=https://get.anchore.io/${PROJECT_NAME}
+LEGACY_INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${PROJECT_NAME}
 PROGRAM_ARGS=$@
 
 # signature verification options
@@ -836,7 +837,11 @@ EOF
   if [ "${DOWNLOAD_TAG_INSTALL_SCRIPT}" = "true" ]; then
       export DOWNLOAD_TAG_INSTALL_SCRIPT=false
       log_info "fetching release script for tag='${tag}'"
-      http_copy "${INSTALL_SH_BASE_URL}/${tag}/install.sh" "" | sh -s -- ${PROGRAM_ARGS}
+      if ! install_script=$(http_copy "${INSTALL_SH_BASE_URL}/${tag}/install.sh" ""); then
+          log_warn "failed to fetch from ${INSTALL_SH_BASE_URL}, trying fallback URL"
+          install_script=$(http_copy "${LEGACY_INSTALL_SH_BASE_URL}/${tag}/install.sh" "")
+      fi
+      echo "${install_script}" | sh -s -- ${PROGRAM_ARGS}
       exit $?
   fi