This would mainly be to support loading plugins directly from a public GitHub release and to dramatically simplify the initial getting started experience.

I think this should also support some form of passing an Authorization header, which would need to read secrets from somewhere. Future improvements might include checking a signature?

Initial implementation doesn't read secrets but does check a sha256 hash.