Installation Guide

Timoni is available as a binary executable for Linux, macOS and Windows. The AMD64 and ARM64 binaries can be downloaded from GitHub releases.

Install with brewarkadescoopnixyayzypperprotofrom source

Install the latest release on macOS or Linux with:

brew install stefanprodan/tap/timoni

Note that the Homebrew formula will setup shell autocompletion for Bash, Fish and Zsh.

Install the latest release on Windows, macOS or Linux with:

arkade get timoni

Note that the Arkade version must be 0.9.11 or newer.

Install the latest release on Windows with:

scoop install timoni

View the available versions using scoop.sh. The cue dependency will also be installed if necessary.

Install the latest release with nix-env:

nix-env -i timoni

Note that the Nix package will setup shell autocompletion for Bash, Fish and Zsh.

Install the latest release with yay (or another AUR helper) for Arch Linux:

yay -S timoni

If you prefer to use the upstream binaries:

yay -S timoni-bin

Install the latest release with zypper for openSUSE:

zypper install timoni

To setup shell autocompletion:

zypper install timoni-bash-completion
zypper install timoni-fish-completion
zypper install timoni-zsh-completion

Manage multiple versions with proto for all supported systems:

# .prototools file

timoni = "0.19.0"

[plugins]
timoni = "source:https://raw.githubusercontent.com/stefanprodan/timoni/main/proto-plugin.toml"

Using Go >= 1.21:

go install github.com/stefanprodan/timoni/cmd/timoni@latest

Shell autocompletion

Configure your shell to load timoni completions:

BashFishPowershellZsh

To load completion run:

. <(timoni completion bash)

To configure your bash shell to load completions for each session add to your bashrc:

# ~/.bashrc or ~/.bash_profile
command -v timoni >/dev/null && . <(timoni completion bash)

If you have an alias for timoni, you can extend shell completion to work with that alias:

# ~/.bashrc or ~/.bash_profile
alias tm=timoni
complete -F __start_timoni tm

To configure your fish shell to load completions for each session write this script to your completions dir:

timoni completion fish > ~/.config/fish/completions/timoni.fish

To load completion run:

. <(timoni completion powershell)

To configure your powershell shell to load completions for each session add to your powershell profile:

Windows:

cd "$env:USERPROFILE\Documents\WindowsPowerShell\Modules"
timoni completion >> timoni-completion.ps1

Linux:

cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
timoni completion >> timoni-completions.ps1

To load completion run:

. <(timoni completion zsh) && compdef _timoni timoni

To configure your zsh shell to load completions for each session add to your zshrc:

# ~/.zshrc or ~/.profile
command -v timoni >/dev/null && . <(timoni completion zsh) && compdef _timoni timoni

or write a cached file in one of the completion directories in your ${fpath}:

echo "${fpath// /\n}" | grep -i completion
timoni completion zsh > _timoni

mv _timoni ~/.oh-my-zsh/completions  # oh-my-zsh
mv _timoni ~/.zprezto/modules/completion/external/src/  # zprezto

Local cache

Timoni maintains a local cache of modules pulled from remote container registries. Cashing is meant to reduce network traffic for sequential pull operations and speeds up applying bundles which refer to modules with identical layers.

The default cache location is $HOME/.timoni/cache and be changed with the --cache-dir global flag.

If the home directory is not writable, caching can be disabled by setting the TIMONI_CACHING=false environment variable.

SLSA Provenance & SBOMs

The build, release and provenance portions of Timoni's supply chain meet the SLSA Build Level 3 requirements.

The release artifacts are produced on GitHub-hosted runners using GoReleaser and the provenance generation is handled by the official SLSA GitHub Generator.

To verify a release artifact such as the Timoni binary tarball, you can use the slsa-verifier tool:

TIMONI_VER=0.10.0 && \
gh release download v${TIMONI_VER} -R=stefanprodan/timoni -p="*" && \
slsa-verifier verify-artifact \
--provenance-path timoni_${TIMONI_VER}_provenance.intoto.jsonl \
--source-uri github.com/stefanprodan/timoni  \
--source-tag v${TIMONI_VER} \
timoni_${TIMONI_VER}_darwin_arm64.tar.gz

Each release comes with a Software Bill of Materials (SBOM) in SPDX format. The SBOMs are generated on GitHub-hosted runners using GoReleaser and Syft.

To scan a release for vulnerabilities, you can use Grype:

TIMONI_VER=0.10.0 && \
gh release download v${TIMONI_VER} -R=stefanprodan/timoni -p="*sbom.spdx.json" && \
grype sbom:./timoni_${TIMONI_VER}_sbom.spdx.json