Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Install

Plumb ships as a single binary. Pick the channel that matches your shell.

ChannelBest for
Install scriptmacOS / Linux / Windows users who want one-line install
cargo installRust developers already on cargo
Homebrew tapmacOS / Linux Homebrew users
npm i -gNode-tooling shops that already pin CLI tools through npm
Build from sourceContributors hacking on Plumb itself

After install, run plumb --version to confirm. Then point yourself at the Quick start.

Install script (macOS / Linux / Windows)

The script picks the right archive for your platform, verifies the attestation, and drops the binary on your PATH.

macOS and Linux:

curl -LsSf https://plumb.aramhammoudeh.com/install.sh | sh

Windows (PowerShell):

irm https://plumb.aramhammoudeh.com/install.ps1 | iex

Windows note: the PowerShell installer relies on the GitHub Actions build attestation for integrity. It does not verify the published .sha256 sidecar — that gap is in upstream cargo-dist and is tracked for follow-up. If you want belt-and-braces verification, download the archive and run gh attestation verify (see Verify release attestations).

If you want to read the script first, fetch it without piping to sh:

curl -LsSf https://plumb.aramhammoudeh.com/install.sh -o plumb-install.sh
less plumb-install.sh
sh plumb-install.sh

The script is generated by cargo dist; the source lives in dist-workspace.toml in this repo.

Cargo

If you already have a Rust toolchain (1.95 or newer):

cargo install plumb-cli

This builds from source against the version published to crates.io. Pin a version with --version:

cargo install plumb-cli --version 0.0.11

Homebrew

For macOS or Linuxbrew:

brew install aram-devdocs/plumb/plumb

The tap repository is aram-devdocs/homebrew-plumb. The formula tracks the latest tagged release.

Intel Mac users: V0 ships native binaries for Apple Silicon (aarch64) only. Install via cargo install plumb-cli instead. Native Intel binaries return when the upstream cargo-dist runner pool stabilizes (#269).

npm

If your project already pins CLI tools through npm:

npm i -g plumb-cli

The npm package is unscoped and wraps the same prebuilt binary that the install script and Homebrew formula download. The install script that ships inside the package verifies the platform archive’s checksum before extracting it.

Build from source

Use this path if you’re hacking on Plumb. You need:

  • git
  • A Rust toolchain (1.95+). Install via rustup.
  • just (brew install just / cargo install just).
git clone https://github.com/aram-devdocs/plumb
cd plumb
just setup            # installs the cargo / nextest / hooks tooling
just build-release    # produces target/release/plumb

The binary lands at target/release/plumb. Add it to your PATH, or symlink it:

ln -s "$(pwd)/target/release/plumb" /usr/local/bin/plumb
plumb --version

To run without installing:

cargo run --quiet -p plumb-cli -- lint plumb-fake://hello

Browser dependency

Real plumb lint <url> runs need Chrome or Chromium. Plumb does not bundle a browser. See Install Chromium for the platform notes and the supported version range.

If you only want to try the rule engine without a browser, the plumb-fake://hello URL scheme returns a canned snapshot you can lint locally.

Verify the installation

plumb --version
plumb lint plumb-fake://hello

The first command prints the version. The second runs the rule engine against the canned fake snapshot — no browser required. If both work, move on to the Quick start.

Verify release attestations

Every release artifact ships with an SLSA L2 provenance attestation generated by GitHub Actions via actions/attest-build-provenance. This lets you confirm that the binary you downloaded was built from the source in this repository, on the expected CI runner, without tampering.

Quick check

Install the GitHub CLI (gh), then:

gh attestation verify plumb-cli-x86_64-unknown-linux-gnu.tar.xz \
  --repo aram-devdocs/plumb

Replace the filename with whichever archive you downloaded. The command prints “Verification succeeded!” and exits 0 if the attestation is valid.

What gets attested

Artifact kindAttested?
Platform archives (plumb-cli-<target>.tar.xz, .zip)Yes
Installer scripts (plumb-cli-installer.sh, plumb-cli-installer.ps1)Yes
Homebrew formula (plumb-cli.rb)Yes
npm package (plumb-cli-npm-package.tar.gz)Yes

The attestation binds each file’s SHA-256 digest to the GitHub Actions workflow run that produced it. Bundles are stored in GitHub’s attestation API and indexed by digest — there is no list endpoint, so gh attestation verify (or the by-digest API) is the only public read path. Programmatic access:

gh attestation verify plumb-cli-x86_64-unknown-linux-gnu.tar.xz \
  --repo aram-devdocs/plumb \
  --format json | jq '.[0].verificationResult.statement'

Offline verification

GitHub attestations are stored in the GitHub attestation API, not as release assets. To verify offline, first download the bundle while you have network access:

gh attestation download plumb-cli-x86_64-unknown-linux-gnu.tar.xz \
  --repo aram-devdocs/plumb

This writes the bundle to sha256:<digest>.jsonl in the current directory (the filename is fixed by gh; on Windows the colon becomes a dash). Verify offline with the same gh binary:

gh attestation verify plumb-cli-x86_64-unknown-linux-gnu.tar.xz \
  --bundle 'sha256:<digest>.jsonl' \
  --repo aram-devdocs/plumb

If you prefer cosign, the JSONL file holds one sigstore bundle per line; pass a single-bundle file via cosign verify-blob --bundle ….