This doesn't quite work because the redirect to the raw version requires auth while navigating directly to the temp file appears to be publicly accessible.

The auth is trying to protect your code from outsiders. You can make the whole repo "public", and then there will be no auth requirement.

If you could generate an auth-free uri to download arbitrary files from your code, that would basically mean I could download all your code without any auth mechanism, just by guessing filenames.

Yeah, good point. I guess what I really want is "the ability to generate a static download URL with custom policy controls to a file in a diffusion". Looks like I should host this file somewhere else because I don't want the entire repo to be public.

Use sub-modules and make the sub-module public? (or the parent public and the sub-module private)

Ehh, that seems messy/a lot of maintenance for a single file. It'd be perfect if you could tie a paste to a file in diffusion and handle access control through the paste since that already supports policies, but I doubt upstream has any interest in that.

I've just added a step in our deployments to push the single install file somewhere that people can download it from.