{"id":13580291,"url":"https://github.com/taiki-e/install-action","last_synced_at":"2026-05-29T03:03:10.115Z","repository":{"id":38086166,"uuid":"442947557","full_name":"taiki-e/install-action","owner":"taiki-e","description":"GitHub Action for installing development tools (mainly from GitHub Releases).","archived":false,"fork":false,"pushed_at":"2026-05-24T20:24:39.000Z","size":9785,"stargazers_count":498,"open_issues_count":18,"forks_count":71,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-05-24T22:19:13.416Z","etag":null,"topics":["github-actions"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/taiki-e.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"taiki-e"}},"created_at":"2021-12-30T02:46:21.000Z","updated_at":"2026-05-24T20:25:11.000Z","dependencies_parsed_at":"2026-01-02T21:11:53.283Z","dependency_job_id":"95e21d28-20d0-416b-84b5-71fcd4a03590","html_url":"https://github.com/taiki-e/install-action","commit_stats":{"total_commits":1878,"total_committers":28,"mean_commits":67.07142857142857,"dds":"0.042066027689030894","last_synced_commit":"76b1741cb5a01384d93bca64e19210d5aaab5fab"},"previous_names":[],"tags_count":1245,"template":false,"template_full_name":null,"purl":"pkg:github/taiki-e/install-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taiki-e%2Finstall-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taiki-e%2Finstall-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taiki-e%2Finstall-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taiki-e%2Finstall-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/taiki-e","download_url":"https://codeload.github.com/taiki-e/install-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taiki-e%2Finstall-action/sbom","scorecard":{"id":444344,"data":{"date":"2025-08-11","repo":{"name":"github.com/taiki-e/install-action","commit":"bc27335bd8dd7afb4cc99a4d745f895c9aed98d2"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":7.1,"checks":[{"name":"Code-Review","score":5,"reason":"Found 16/28 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'repository-projects' permission set to 'read': .github/workflows/ci.yml:53","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:51","Info: jobLevel 'contents' permission set to 'read': .github/workflows/manifest.yml:39","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:21","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/manifest.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:4"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE-APACHE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE-APACHE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:206: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/manifest.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/manifest.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/manifest.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/manifest.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/manifest.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/manifest.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/manifest.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/manifest.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/taiki-e/install-action/release.yml/main?enable=pin","Info:   0 out of  12 third-party GitHubAction dependencies pinned","Info:   1 out of   1 chocoCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/taiki-e/.github/SECURITY.md:1","Info: Found linked content: github.com/taiki-e/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/taiki-e/.github/SECURITY.md:1","Info: Found text in security policy: github.com/taiki-e/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T06:19:09.687Z","repository_id":38086166,"created_at":"2025-08-19T06:19:09.687Z","updated_at":"2025-08-19T06:19:09.687Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33634611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions"],"created_at":"2024-08-01T15:01:49.552Z","updated_at":"2026-05-29T03:03:10.092Z","avatar_url":"https://github.com/taiki-e.png","language":"Rust","funding_links":["https://github.com/sponsors/taiki-e"],"categories":["Rust"],"sub_categories":[],"readme":"\u003c!-- omit in toc --\u003e\n# install-action\n\n[![release](https://img.shields.io/github/release/taiki-e/install-action?style=flat-square\u0026logo=github)](https://github.com/taiki-e/install-action/releases/latest)\n[![github actions](https://img.shields.io/github/actions/workflow/status/taiki-e/install-action/ci.yml?branch=main\u0026style=flat-square\u0026logo=github)](https://github.com/taiki-e/install-action/actions)\n\nGitHub Action for installing development tools (mainly from GitHub Releases).\n\n- [Usage](#usage)\n  - [Inputs](#inputs)\n  - [Example workflow](#example-workflow)\n- [Supported tools](#supported-tools)\n  - [Add support for new tool](#add-support-for-new-tool)\n- [Security](#security)\n- [Compatibility](#compatibility)\n- [Related Projects](#related-projects)\n- [License](#license)\n\n## Usage\n\n### Inputs\n\n| Name | Required | Description | Type | Default |\n| ---- | :------: | ----------- | ---- | ------- |\n| tool | **✓** | Tools to install (whitespace or comma separated list) | String | |\n| checksum | | Whether to enable checksums (strongly discouraged to disable) | Boolean | `true` |\n| fallback | | Whether to use fallback (none, cargo-binstall, or cargo-install) | String | `cargo-binstall` |\n\n### Example workflow\n\nTo install the latest version:\n\n```yaml\n- uses: taiki-e/install-action@v2\n  with:\n    tool: cargo-hack\n```\n\nYou can use the shorthand (if you do not need to pin the versions of this action and the installed tool):\n\n```yaml\n- uses: taiki-e/install-action@cargo-hack\n```\n\nTo install a specific version, use `@version` syntax:\n\n```yaml\n- uses: taiki-e/install-action@v2\n  with:\n    tool: cargo-hack@0.5.24\n```\n\nYou can also omit patch version.\n(You can also omit the minor version if the major version is 1 or greater.)\n\n```yaml\n- uses: taiki-e/install-action@v2\n  with:\n    tool: cargo-hack@0.5\n```\n\nFor some tools, we support installing additional components at the same time by `+\u003cadditional\u003e` syntax:\n\n```yaml\n- uses: taiki-e/install-action@v2\n  with:\n    # Install rust stable with rustfmt component and wasm32-wasip1 target.\n    tool: rust+rustfmt+wasm32-wasip1\n    # When installing another rust version:\n    # tool: rust@nightly + rustfmt + wasm32-wasip1\n```\n\nTo install multiple tools:\n\n```yaml\n- uses: taiki-e/install-action@v2\n  with:\n    tool: cargo-hack,cargo-minimal-versions\n```\n\nOr:\n\n```yaml\n- uses: taiki-e/install-action@cargo-hack\n- uses: taiki-e/install-action@cargo-minimal-versions\n```\n\nTool names can also be separated with whitespaces (line, space, tab).\n\n```yaml\n- uses: taiki-e/install-action@v2\n  with:\n    tool: |\n      cargo-hack\n      cargo-minimal-versions\n```\n\n## Supported tools\n\nSee [TOOLS.md](TOOLS.md) for the list of tools that are installed from manifests managed in this action.\n\nIf a tool not included in the list above is specified, this action uses [cargo-binstall] as a fallback.\n\nIf you want to ensure that fallback is not used, use `fallback: none`.\n\n```yaml\n- uses: taiki-e/install-action@v2\n  with:\n    tool: cargo-hack\n    # Possible values:\n    # - none: disable all fallback options\n    # - cargo-binstall (default): use cargo-binstall (includes \"quickinstall\" and \"install from source\")\n    # - cargo-install: use `cargo install`\n    fallback: none\n```\n\nOn platforms where cargo-binstall does not provide prebuilt binaries, cargo-install fallback is used instead of cargo-binstall fallback.\n\n### Add support for new tool\n\nSee the [development guide](DEVELOPMENT.md) for how to add support for new tool.\n\n## Security\n\nThe `@v\u003cmajor\u003e` and `@\u003ctool_name\u003e` tags are updated with each release. If you want to enhance workflow stability and security against supply chain attacks, consider using the `@v\u003cmajor\u003e.\u003cminor\u003e.\u003cpatch\u003e` tag or their hash to pin the version and regularly updating with [dependency cooldown]. Since all releases are immutable, pinning the version in either way should have the same effect. Pinning `@\u003ctool_name\u003e` tags by hash is strongly discouraged, as it causes the workflow to reference a [commit that is not present on the repository](https://docs.zizmor.sh/audits/#impostor-commit) when a new version is released.\n\nThe default fallback (cargo-binstall) is often affected by GitHub's API rate limits, so we [pass the `${{ github.token }}` to cargo-binstall](https://github.com/taiki-e/install-action/issues/561). Disabling the cargo-binstall fallback prevent passing token so helps enhance security.\n\nSee the [Supported tools section](#supported-tools) for how to ensure that fallback is not used.\n\n\u003c!-- omit in toc --\u003e\n### Security on installation from GitHub Releases\n\n**Tools covered in this section:** Tools in the [supported tools list](TOOLS.md) where column \"Where will it be installed from\" is \"GitHub Releases\".\n\nThis action will download the tool or its installer from GitHub Releases using HTTPS with tlsv1.2+. This is basically considered to be the same level of security as [the recommended installation of rustup](https://www.rust-lang.org/tools/install).\n\nAdditionally, this action will also verify SHA256 checksums for downloaded files for all tools covered in this section. This is enabled by default and can be disabled by setting the `checksum` input option to `false` (strongly discouraged to disable).\n\nAdditionally, we also verify [artifact attestations](https://docs.github.com/en/actions/concepts/security/artifact-attestations) or signature if the tool publishes artifact attestations or distributes signed archives. Verification is done at the stage of getting the checksum, so disabling the checksum will also disable verification.\n\nWhen installing with `taiki-e/install-action@\u003ctool_name\u003e`, `tool: \u003ctool_name\u003e`, or `tool: \u003ctool_name\u003e@\u003comitted_version\u003e`, The tool version is reflects upstream releases with a delay of one to a few days (as with other common package managers that verify checksums or signatures). A delay of at least one day is known as [dependency cooldown] and is intended to mitigate the risk of supply chain attacks (the specific cooldown period may be changed in the future). You can bypass the cooldown by explicitly specifying a version. If you want a longer cooldown, consider using the property described below.\n\nWhen installing with `tool: \u003ctool_name\u003e` or `tool: \u003ctool_name\u003e@\u003comitted_version\u003e`, the tool version is associated with the install-action version, so pinning install-action version with the `@v\u003cmajor\u003e.\u003cminor\u003e.\u003cpatch\u003e` tag or their hash also pins the version of the tool being installed. This also means that if a [dependency cooldown] applies to the action itself, a cooldown of one to a few days longer will apply to the tools installed by that action.\n\n[dependency cooldown]: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns\n\n\u003c!-- omit in toc --\u003e\n### Security on other installation methods\n\nSee the linked documentation for information on security when installed using [rustup](https://rust-lang.github.io/rustup/security.html), [snap](https://snapcraft.io/docs), or [cargo-binstall](https://github.com/cargo-bins/cargo-binstall#faq).\n\nIf the installation method is rustup and rustup is not yet installed, this action downloads [rustup-init for the current platform](https://rust-lang.github.io/rustup/installation/other.html#manual-installation) using HTTPS with tlsv1.2+, verifies SHA256 checksum, and then installs rustup using it.\n\nIf the installation method is cargo-binstall and cargo-binstall is not yet installed or outdated, this action installs cargo-binstall [from GitHub Releases](#security-on-installation-from-github-releases).\n\nSee the [Supported tools section](#supported-tools) for how to ensure that fallback is not used.\n\n## Compatibility\n\nThis action has been tested for GitHub-hosted runners (Ubuntu, macOS, Windows) and containers (Ubuntu, Debian, Fedora, CentOS, Alma, openSUSE, Arch, Alpine).\n\nOn Linux, if any required tools are missing, this action will attempt to install them from distro's package manager, so no pre-setup is usually required (except for CentOS or Debian 10 (or older) or very old distro described below, which was already EoL and needs to use vault/archive repos -- see \"Install requirements\" in [our CI config](https://github.com/taiki-e/install-action/blob/HEAD/.github/workflows/ci.yml) for example of setup).\n\nOn other platforms, at least the following tools are required:\n\n- bash 3.2+\n- jq 1.3+ (only on non-Windows platforms)\n- curl 7.34+ (or RHEL7/CentOS7's patched curl 7.29)\n\nKnown environments affected by the above version requirements are CentOS 6 (EoL on 2020-11) using curl 7.19, and Ubuntu 12.04 (EoL on 2017-04) using curl 7.22 (see \"Install requirements\" in [our CI config](https://github.com/taiki-e/install-action/blob/HEAD/.github/workflows/ci.yml) for example of workaround).\n\nNote that what this action installs for its setup (such as above tools) is considered an implementation detail if they are installed by this action's side, and there is no guarantee that they will be available in subsequent steps, because this action is not an action for installing those tools.\n\n## Related Projects\n\n- [cache-cargo-install-action]: GitHub Action for `cargo install` with cache.\n- [create-gh-release-action]: GitHub Action for creating GitHub Releases based on changelog.\n- [upload-rust-binary-action]: GitHub Action for building and uploading Rust binary to GitHub Releases.\n- [setup-cross-toolchain-action]: GitHub Action for setup toolchains for cross compilation and cross testing for Rust.\n- [checkout-action]: GitHub Action for checking out a repository. (Simplified actions/checkout alternative that does not depend on Node.js.)\n\n[cache-cargo-install-action]: https://github.com/taiki-e/cache-cargo-install-action\n[cargo-binstall]: https://github.com/cargo-bins/cargo-binstall\n[checkout-action]: https://github.com/taiki-e/checkout-action\n[create-gh-release-action]: https://github.com/taiki-e/create-gh-release-action\n[setup-cross-toolchain-action]: https://github.com/taiki-e/setup-cross-toolchain-action\n[upload-rust-binary-action]: https://github.com/taiki-e/upload-rust-binary-action\n\n## License\n\nLicensed under either of [Apache License, Version 2.0](LICENSE-APACHE) or\n[MIT license](LICENSE-MIT) at your option.\n\nEach of the tools installed by this action has a different license. See the\n[Supported tools](#supported-tools) section for more information.\n\nUnless you explicitly state otherwise, any contribution intentionally submitted\nfor inclusion in the work by you, as defined in the Apache-2.0 license, shall\nbe dual licensed as above, without any additional terms or conditions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaiki-e%2Finstall-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftaiki-e%2Finstall-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaiki-e%2Finstall-action/lists"}