✨ Add curl | sh self-installer and clean up documentation

[jsamuel1]

Summary

This PR adds a curl-style self-installer script and removes the extra markdown file added in the previous PR, making git-qcommit easier to install and maintain.

Changes

Added

• install.sh: A curl | sh style self-installer script that:
  • Downloads and installs only the main git-qcommit script (not other files)
  • Automatically creates the ~/.local/bin/ directory if it doesn't exist
  • Makes the installed script executable
  • Provides clear installation feedback and PATH configuration guidance
  • Supports both curl and wget for maximum compatibility
  • Can be executed via: curl https://raw.githubusercontent.com/jsamuel1/git-qcommit/main/install.sh | sh

Removed

• Removed MIGRATION.md file that was added in the previous pull request

Installation Usage

Users can now install git-qcommit with a single command:

curl https://raw.githubusercontent.com/jsamuel1/git-qcommit/main/install.sh | sh

The installer will:

1. Create ~/.local/bin/ if it doesn't exist
2. Download the git-qcommit script
3. Make it executable
4. Verify PATH configuration and provide guidance if needed

Testing

The installer script includes:

• Error handling with set -e
• Fallback to wget if curl is not available
• Clear error messages for missing dependencies
• PATH verification and user guidance

Requirements Implemented

✅ Removed the extra markdown file (MIGRATION.md) from the previous PR
✅ Created a curl | sh style self-installer script
✅ Installer handles creating the ~/.local/bin/ directory if it doesn't exist
✅ Installer makes the installed script executable
✅ Installer is downloadable and executable via curl

[amazon-q-developer]

⏳ Code review in progress. Analyzing for code quality issues and best practices. You can monitor the review status in the checks section at the bottom of this pull request. Detailed findings will be posted upon completion.

Using Amazon Q Developer for GitHub

Amazon Q Developer¹ is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation.

Slash Commands

Command	Description
/q <message>	Chat with the agent to ask questions or request revisions
/q review	Requests an Amazon Q powered code review
/q help	Displays usage information

Features

Agentic Chat
Enables interactive conversation with Amazon Q to ask questions about the pull request or request specific revisions. Use /q <message> in comment threads or the review body to engage with the agent directly.

Code Review
Analyzes pull requests for code quality, potential issues, and security concerns. Provides feedback and suggested fixes. Automatically triggered on new or reopened PRs (can be disabled for AWS registered installations), or manually with /q review slash command in a comment.

Customization

You can create project-specific rules for Amazon Q Developer to follow:

1. Create a .amazonq/rules folder in your project root.
2. Add Markdown files in this folder to define rules (e.g., cdk-rules.md).
3. Write detailed prompts in these files, such as coding standards or best practices.
4. Amazon Q Developer will automatically use these rules when generating code or providing assistance.

Example rule:

All Amazon S3 buckets must have encryption enabled, enforce SSL, and block public access.
All Amazon DynamoDB Streams tables must have encryption enabled.
All Amazon SNS topics must have encryption enabled and enforce SSL.
All Amazon SNS queues must enforce SSL.

Feedback

To provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository.

For more detailed information, visit the Amazon Q for GitHub documentation.

Footnotes

1. Amazon Q Developer uses generative AI. You may need to verify generated code before using it in your environment. See the AWS Responsible AI Policy. ↩

[amazon-q-developer]

Security and Reliability Review

This PR adds a convenient curl | sh installer, but introduces several critical security vulnerabilities that must be addressed before merge:

🚨 Critical Issues

1. No integrity verification - The installer downloads and executes code without checksum validation, creating a significant attack vector
2. Insufficient error handling - Multiple failure points could leave the system in an inconsistent state
3. Silent failures - Suppressed error output could hide important failure information

📋 Summary of Required Changes

• Add checksum verification for downloaded scripts
• Implement proper error checking for directory creation and file downloads
• Improve error reporting by removing silent flags from curl/wget
• Verify downloaded file exists and has content before making executable

✅ Positive Aspects

• Clean removal of unnecessary MIGRATION.md file
• Well-structured installer with clear user feedback
• Proper PATH verification and guidance
• Good fallback between curl and wget

The installer concept is solid, but the security issues must be resolved before this can be safely deployed to users.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Security Vulnerability: The installer downloads and executes code from a hardcoded GitHub URL without any integrity verification. This creates a significant security risk as the script could be compromised or intercepted during download¹. Add checksum verification or use signed releases to ensure the downloaded script hasn't been tampered with.

Suggested change

	mkdir -p "$INSTALL_DIR"
	fi
	# Download the script
	echo "Downloading git-qcommit from $SCRIPT_URL"
	if command -v curl >/dev/null 2>&1; then
	curl -fsSL "$SCRIPT_URL" -o "$INSTALL_DIR/$SCRIPT_NAME"
	# Download the script with integrity verification
	echo "Downloading git-qcommit from $SCRIPT_URL"
	if command -v curl >/dev/null 2>&1; then
	curl -fsSL "$SCRIPT_URL" -o "$INSTALL_DIR/$SCRIPT_NAME"
	# TODO: Add checksum verification here
	# Expected checksum should be provided via a separate endpoint or release
	elif command -v wget >/dev/null 2>&1; then
	wget -qO "$INSTALL_DIR/$SCRIPT_NAME" "$SCRIPT_URL"
	# TODO: Add checksum verification here
	else
	echo "Error: Neither curl nor wget found. Please install one of them and try again."
	exit 1
	fi

Footnotes

1. CWE-494: Download of Code Without Integrity Check - https://cwe.mitre.org/data/definitions/494.html ↩

[amazon-q-developer]

The hardcoded branch reference "main" could cause issues if the repository's default branch changes or if users want to install from a specific version. Consider making the branch configurable via environment variable or use a more stable reference like a release tag.

Suggested change

	REPO_NAME="git-qcommit"
	REPO_BRANCH="${GIT_QCOMMIT_BRANCH:-main}"

[amazon-q-developer]

The mkdir -p command could fail due to permission issues or filesystem problems, but the script continues execution without verifying the directory was actually created. Add error checking to ensure the installation directory exists before proceeding.

Suggested change

	echo " git-qcommit Installer"
	echo "====================================="
	echo ""
	# Create installation directory if it doesn't exist
	if [ ! -d "$INSTALL_DIR" ]; then
	echo "Creating directory: $INSTALL_DIR"
	if ! mkdir -p "$INSTALL_DIR"; then
	echo "Error: Failed to create directory $INSTALL_DIR"
	echo "Please check permissions and try again."
	exit 1
	fi
	fi

[amazon-q-developer]

The script doesn't verify that the download was successful before attempting to make the file executable. If the download fails silently, chmod +x will be applied to a non-existent or empty file. Add verification that the downloaded file exists and has content.

Suggested change

	else
	echo "Error: Neither curl nor wget found. Please install one of them and try again."
	# Verify the download was successful
	if [ ! -f "$INSTALL_DIR/$SCRIPT_NAME" ] || [ ! -s "$INSTALL_DIR/$SCRIPT_NAME" ]; then
	echo "Error: Download failed or file is empty"
	exit 1
	fi
	# Make the script executable
	echo "Making script executable"
	chmod +x "$INSTALL_DIR/$SCRIPT_NAME"

[amazon-q-developer]

The curl and wget commands use flags that suppress error output (-s in curl, -q in wget), which could hide important error messages from users. If the download fails, users won't see helpful error information. Consider using more verbose error reporting.

Suggested change

	mkdir -p "$INSTALL_DIR"
	fi
	# Download the script
	echo "Downloading git-qcommit from $SCRIPT_URL"
	if command -v curl >/dev/null 2>&1; then
	curl -fsSL "$SCRIPT_URL" -o "$INSTALL_DIR/$SCRIPT_NAME"
	echo "Downloading git-qcommit from $SCRIPT_URL"
	if command -v curl >/dev/null 2>&1; then
	if ! curl -fL "$SCRIPT_URL" -o "$INSTALL_DIR/$SCRIPT_NAME"; then
	echo "Error: Failed to download script from $SCRIPT_URL"
	exit 1
	fi
	elif command -v wget >/dev/null 2>&1; then
	if ! wget -O "$INSTALL_DIR/$SCRIPT_NAME" "$SCRIPT_URL"; then
	echo "Error: Failed to download script from $SCRIPT_URL"
	exit 1
	fi
	else
	echo "Error: Neither curl nor wget found. Please install one of them and try again."
	exit 1
	fi