Install#

Homebrew#

brew tap szhekpisov/diffyml
brew install diffyml

Go install#

go install github.com/szhekpisov/diffyml@latest

Make sure $GOPATH/bin is in your PATH:

export PATH="$(go env GOPATH)/bin:$PATH"

Docker#

Multi-arch images (linux/amd64, linux/arm64) are published to GitHub Container Registry:

docker pull ghcr.io/szhekpisov/diffyml:latest

# Compare two files from the current directory
docker run --rm -v "$PWD:/work" -w /work ghcr.io/szhekpisov/diffyml:latest old.yaml new.yaml

Images are built from a distroless base and run as a non-root user. Use :latest or pin to a specific version (e.g. :1.5.25).

Install script (Linux / macOS)#

curl -fsSL https://szhekpisov.github.io/diffyml/install.sh | sh

Detects your OS and architecture, downloads the matching release archive, verifies its SHA256 against the signed checksums.txt, and installs the binary to /usr/local/bin/diffyml.

Environment variables:

Variable	Default	Notes
`DIFFYML_VERSION`	latest release	Pin a specific version, e.g. `1.6.1`. Recommended in CI — avoids the unauthenticated GitHub API call (60 req/hr per IP) used to resolve the latest tag.
`INSTALL_DIR`	`/usr/local/bin`	Falls back to `sudo` if the directory isn’t writable.
`VERIFY`	`sha256`	Use `cosign` to verify the cosign signature on `checksums.txt` first (requires `cosign` in `PATH`), or `none` to skip verification.
`GITHUB_TOKEN`	unset	If set, used to authenticate the GitHub API call when resolving the latest version. Useful on shared CI egress IPs.

Example pinning a version, installing into ~/bin, and adding cosign verification:

DIFFYML_VERSION=1.6.1 INSTALL_DIR="$HOME/bin" VERIFY=cosign \
  sh -c "$(curl -fsSL https://szhekpisov.github.io/diffyml/install.sh)"

Linux packages#

Native .deb, .rpm, and .apk packages for amd64 and arm64 are attached to every release. The binary installs to /usr/bin/diffyml. All package archives are listed in the cosign-signed checksums.txt, so you can verify before installing — see Verifying releases. The .apk uses --allow-untrusted because nfpm-built apks aren’t GPG-signed; verify the SHA256 from checksums.txt instead.

# Debian / Ubuntu
curl -fLO "https://github.com/szhekpisov/diffyml/releases/download/v1.6.1/diffyml_1.6.1_linux_amd64.deb"
sudo dpkg -i diffyml_1.6.1_linux_amd64.deb

# RHEL / Fedora / openSUSE
curl -fLO "https://github.com/szhekpisov/diffyml/releases/download/v1.6.1/diffyml_1.6.1_linux_amd64.rpm"
sudo rpm -i diffyml_1.6.1_linux_amd64.rpm

# Alpine
curl -fLO "https://github.com/szhekpisov/diffyml/releases/download/v1.6.1/diffyml_1.6.1_linux_amd64.apk"
sudo apk add --allow-untrusted diffyml_1.6.1_linux_amd64.apk

Direct binary download#

If you’d rather not pipe a script to sh, the same archives are attached to every release for Linux and macOS (amd64 and arm64). Download, extract, and move onto your PATH:

VERSION=1.6.1  # check the releases page for the latest
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
curl -fL "https://github.com/szhekpisov/diffyml/releases/download/v${VERSION}/diffyml_${VERSION}_${OS}_${ARCH}.tar.gz" \
  | tar -xz
sudo mv diffyml /usr/local/bin/

Archives are named diffyml_<VERSION>_<os>_<arch>.tar.gz. See Verifying releases to check signatures and provenance before installing.

From source#

git clone https://github.com/szhekpisov/diffyml.git
cd diffyml
go build -o diffyml

Requires Go 1.26.3 or later.

Verifying releases#

Every release ships:

Checksums (checksums.txt) — SHA256 hashes for all archives
Cosign signature (checksums.txt.sigstore.json) — keyless Sigstore signature
SBOMs (*.spdx.json) — SPDX Software Bill of Materials per archive
SLSA provenance — Level 3 attestation

cosign verify-blob checksums.txt \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/szhekpisov/diffyml/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

# Linux
sha256sum --check checksums.txt --ignore-missing
# macOS
shasum -a 256 --check checksums.txt --ignore-missing

Verify SLSA provenance with gh attestation:

gh attestation verify diffyml_<VERSION>_linux_amd64.tar.gz --repo szhekpisov/diffyml

Verify a container image:

cosign verify \
  --registry-referrers-mode=oci-1-1 \
  --certificate-identity-regexp 'https://github.com/szhekpisov/diffyml/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/szhekpisov/diffyml:<VERSION>