ci(release): bump homebrew-tap formula on dsar publish

[BurnedChris]

Summary

Adds a bump-homebrew-tap job to .github/workflows/release.yml. It runs after the release job on main and, if dsar is in publishedPackages:

1. Downloads https://registry.npmjs.org/dsar/-/dsar-<version>.tgz (with retry while the registry catches up).
2. Computes its sha256.
3. Opens a PR against inthhq/homebrew-tap updating Formula/dsar.rb's url and sha256 to the new version.

Tap CI then runs brew audit --strict --online and brew test dsar against the change before the PR can be merged. The companion PR adding Formula/dsar.rb to the tap is inthhq/homebrew-tap#2.

Required secret

Before merging, add a repo secret named TAP_GITHUB_TOKEN:

• Fine-grained PAT scoped to inthhq/homebrew-tap
• Permissions: Contents: write, Pull requests: write

The default GITHUB_TOKEN cannot push to another repository, which is why a dedicated PAT is required.

Test plan

• Add TAP_GITHUB_TOKEN to repo secrets.
• Merge inthhq/homebrew-tap#2 first so Formula/dsar.rb exists.
• Land a changeset that publishes dsar and confirm a bump PR appears at inthhq/homebrew-tap with the correct url + sha256.
• Confirm tap CI (brew install, brew test, brew audit --strict --online) passes against the bump PR.

Made with Cursor

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Automated Homebrew formula updates to sync with production releases, streamlining the installation experience for package managers.

Walkthrough

The PR adds automated Homebrew formula publishing to the release workflow. It exposes published and publishedPackages outputs from the Changesets action, then introduces a downstream job that extracts the dsar version, retrieves the npm tarball, computes its checksum, updates the Homebrew formula, and opens an automated PR.

Changes

Homebrew Formula Automation

Layer / File(s)	Summary
Release Job Outputs .github/workflows/release.yml	Release job outputs published and publishedPackages from Changesets production step for downstream job consumption.
Homebrew Tap Update Job .github/workflows/release.yml	New bump-homebrew-tap job that runs after successful main branch releases, extracts dsar version, waits for npm tarball, computes sha256, updates Formula/dsar.rb URL and checksum, and opens an automated PR against inthhq/homebrew-tap with appropriate labels and branch naming.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A release goes out, the workflow takes flight,
Publishing packages into the night,
To Homebrew it flows, with sha256 in hand,
A tap gets an update across all the land!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding automation to bump the Homebrew formula when dsar is published.
Description check	✅ Passed	The description is directly related to the changeset, providing clear context about the new job, its functionality, required setup, and test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add-homebrew-tap-bumper

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 148-155: The retry loop that downloads "$URL" into dsar.tgz can
exhaust all 10 attempts and then fail only at `test -s dsar.tgz` with an unclear
message; after the for-loop (before `test -s dsar.tgz`) add an explicit check
for the file and, if missing or empty, emit a clear error like "Failed to
download dsar.tgz from $URL after 10 attempts" and exit non‑zero (e.g., echo the
message and `exit 1`) so failures are immediately debuggable.
- Around line 192-212: The workflow step named "Create pull request" references
a non-existent action SHA
(peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676);
update the uses line to a valid reference by replacing that SHA with the
official tag or correct commit for v7.0.11 (e.g.,
peter-evans/create-pull-request@v7.0.11) so the step uses a known release of the
create-pull-request action.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a62af585-411b-41ab-a4c5-5a6709c89123

📥 Commits

Reviewing files that changed from the base of the PR and between 7d9105a and 38e761a.

📒 Files selected for processing (1)

• .github/workflows/release.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Vitest (bun)
• GitHub Check: Vitest (node)

🔇 Additional comments (5)

.github/workflows/release.yml (5)

101-104: LGTM!

The job outputs correctly expose the changesets action outputs for downstream consumption by the bump-homebrew-tap job.

---

110-119: LGTM!

The job conditions are well-structured with appropriate guards, and the permissions follow least-privilege principles.

---

121-138: LGTM!

The version extraction handles edge cases well—gracefully skipping when dsar isn't in the published packages and using process.stdout.write to avoid newline issues in the output.

---

160-166: LGTM!

The checkout step correctly uses a pinned action version and the dedicated token for cross-repository access.

---

168-190: LGTM!

The formula update logic correctly preserves indentation, includes an idempotency check to prevent no-op PRs, and logs the diff for visibility.

Minor note: The VERSION env var is passed but unused in the Node script—consider removing it from the env block for clarity.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider adding an explicit failure message when all retries are exhausted.

If all 10 attempts fail, the step fails at test -s dsar.tgz with a cryptic error. Adding an explicit failure after the loop improves debuggability.

♻️ Proposed improvement

           for i in 1 2 3 4 5 6 7 8 9 10; do
             if curl -fSL --connect-timeout 10 --max-time 60 "$URL" -o dsar.tgz; then
               break
             fi
             echo "Attempt $i: tarball not ready yet, sleeping..."
             sleep $((i * 6))
           done
-          test -s dsar.tgz
+          if [ ! -s dsar.tgz ]; then
+            echo "::error::Failed to download tarball after 10 attempts: $URL"
+            exit 1
+          fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for i in 1 2 3 4 5 6 7 8 9 10; do
	if curl -fSL --connect-timeout 10 --max-time 60 "$URL" -o dsar.tgz; then
	break
	fi
	echo "Attempt $i: tarball not ready yet, sleeping..."
	sleep $((i * 6))
	done
	test -s dsar.tgz
	for i in 1 2 3 4 5 6 7 8 9 10; do
	if curl -fSL --connect-timeout 10 --max-time 60 "$URL" -o dsar.tgz; then
	break
	fi
	echo "Attempt $i: tarball not ready yet, sleeping..."
	sleep $((i * 6))
	done
	if [ ! -s dsar.tgz ]; then
	echo "::error::Failed to download tarball after 10 attempts: $URL"
	exit 1
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 148 - 155, The retry loop that
downloads "$URL" into dsar.tgz can exhaust all 10 attempts and then fail only at
`test -s dsar.tgz` with an unclear message; after the for-loop (before `test -s
dsar.tgz`) add an explicit check for the file and, if missing or empty, emit a
clear error like "Failed to download dsar.tgz from $URL after 10 attempts" and
exit non‑zero (e.g., echo the message and `exit 1`) so failures are immediately
debuggable.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify peter-evans/create-pull-request SHA corresponds to v7.0.11
curl -sL "https://api.github.com/repos/peter-evans/create-pull-request/git/refs/tags/v7.0.11" | jq -r '.object.sha'

Repository: inthhq/dsar

Length of output: 60

---

🌐 Web query:

peter-evans/create-pull-request v7.0.11 release

💡 Result:

Release v7.0.11 of peter-evans/create-pull-request contains a fix to restrict running git remote prune to self-hosted runners. Specifically, the compare page for v7.0.10...v7.0.11 shows a single commit (“fix: restrict remote prune to self-hosted runners (#4250)”) and the code change gates the prune logic behind utils.isSelfHosted() instead of running it unconditionally.[1] The repositories’ releases list also indicates v7.0.11 and the “What’s Changed” section includes this same item (“restrict remote prune to self-hosted runners”).[2] The underlying change reason is described in the diff: for self-hosted runners the repository state persists between runs, and pruning stale remote refs prevents push failures due to “stale info.”[1]

Citations:

• 1: peter-evans/create-pull-request@v7.0.10...v7.0.11
• 2: https://github.com/peter-evans/create-pull-request/releases

---

🏁 Script executed:

#!/bin/bash
# Try alternative API endpoint to get releases for peter-evans/create-pull-request
curl -sL "https://api.github.com/repos/peter-evans/create-pull-request/releases" | jq -r '.[0:5] | .[] | "\(.tag_name): \(.target_commitish)"'

Repository: inthhq/dsar

Length of output: 113

---

🏁 Script executed:

#!/bin/bash
# Check if the specific commit SHA exists in the repository
curl -sL "https://api.github.com/repos/peter-evans/create-pull-request/commits/22a9089034f40e5a961c8808d113e2c98fb63676" | jq -r '.sha // "NOT_FOUND"'

Repository: inthhq/dsar

Length of output: 65

---

🏁 Script executed:

#!/bin/bash
# Get the actual commit SHA for v7.0.11 tag
curl -sL "https://api.github.com/repos/peter-evans/create-pull-request/git/refs/tags/v7.0.11" 2>&1 | head -50

Repository: inthhq/dsar

Length of output: 335

---

🏁 Script executed:

#!/bin/bash
# Try different API endpoint for tag info
curl -sL "https://api.github.com/repos/peter-evans/create-pull-request/releases/tags/v7.0.11" 2>&1 | jq '.target_commitish, .author.login' 2>&1 | head -10

Repository: inthhq/dsar

Length of output: 65

---

🏁 Script executed:

#!/bin/bash
# Get commit info for the SHA in the workflow to see what it actually points to
curl -sL "https://api.github.com/repos/peter-evans/create-pull-request/commits/22a9089034f40e5a961c8808d113e2c98fb63676" 2>&1 | jq '.message // "NOT_FOUND"' 2>&1 | head -5

Repository: inthhq/dsar

Length of output: 223

---

Fix: Invalid action SHA reference

The action SHA 22a9089034f40e5a961c8808d113e2c98fb63676 does not exist in the peter-evans/create-pull-request repository. Verify and update to the correct commit SHA for v7.0.11 or use the full release tag reference (e.g., peter-evans/create-pull-request@v7.0.11).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 192 - 212, The workflow step
named "Create pull request" references a non-existent action SHA
(peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676);
update the uses line to a valid reference by replacing that SHA with the
official tag or correct commit for v7.0.11 (e.g.,
peter-evans/create-pull-request@v7.0.11) so the step uses a known release of the
create-pull-request action.

[BurnedChris]

Blocked — holding this PR until upstream publish is fixed

After landing inthhq/homebrew-tap#2, the matrix CI run on the tap surfaced that dsar@0.0.5 is uninstallable on plain npm (and therefore via brew):

```
npm error code EUNSUPPORTEDPROTOCOL
npm error Unsupported URL Type "catalog:": catalog:effect
```

The published tarball still contains unresolved `workspace:` and `catalog:` specifiers in `dependencies`, `devDependencies`, and `peerDependencies`. These need to be resolved to concrete versions at publish time (similar to how `c15t` and `leadtype` use a `bun scripts/resolve-workspace-deps.ts` step before `changeset publish`).

What this PR needs to unblock

1. Fix the dsar release pipeline to resolve `workspace:` and `catalog:` before `npm publish` (port the `resolve-workspace-deps.ts` pattern from c15t/leadtype, extend it to handle catalog refs).
2. Cut a patched release.
3. Re-add `Formula/dsar.rb` to `inthhq/homebrew-tap` (dropped from Version Packages #2 for now).
4. Then this bumper job will run cleanly on the next publish.

Converting to draft until the upstream is unblocked.