> I was tempted to try it until I saw the curl | bash pipe, then no

I don't quite get that argument. It's the same as the old download installer from random website, double click to run that people have been doing for decades. It only skips the download step. And it's arguably better since at least you can review the contents. When building a Go program it will also happily download stuff from github but I've seen way less complaints about that. And to be fair it's also been an infection vector, from people installing things from shady places (or reputable places but with ill-intent like installing unwanted browser toolbars, DRM rootkits ...), but it's nothing new. Same advice applies, know what you're doing, use reputable sources.

What's a better alternative ?

I don't think the go module system is great but I am not sure if any programming gets it right and all suffer from many issues, but go has the go.mod and it is easy to see what dependencies are being used both direct and indirect and the user can filter and look though these packages and pin them until they have eyeballed updates to the git repo. I don't feel the most comfortable with it but the whole `curl | sh` is so terrible, no signing no, way of knowing about the integrity of the installer.

> What's a better alternative ?

I do not think the program really needs and installer but if one must then why not just have it under source control that way you get the benefits of git handling all the download bits and the install script being completely offline and just using cp or install commands.

you could tell the user to do this with a pithy command like `git --depth=1 clone $GITSITE/$REPO && $REPO/installer.sh && rm -R $REPO`