ci(release): bump homebrew-tap formula on readie publish#6
Conversation
Adds a `bump-homebrew-tap` job to the release workflow that fires after a successful npm publish on `main`. When `readie` is in `publishedPackages`, it downloads the new tarball from `registry.npmjs.org`, computes its sha256, and opens a PR against `inthhq/homebrew-tap` updating `Formula/readie.rb`'s `url` and `sha256`. Tap CI then runs `brew audit --strict --online` and `brew test readie` against the change before the PR can be merged. Requires repo secret TAP_GITHUB_TOKEN: a fine-grained PAT scoped to inthhq/homebrew-tap with Contents: write and Pull requests: write (GITHUB_TOKEN cannot push to another repository). Co-authored-by: Cursor <cursoragent@cursor.com>
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe release workflow gains the ability to automatically synchronize published versions to the Homebrew formula repository. The release job now exports publication status and package list as outputs. A new downstream job, conditioned on successful publishing, extracts the released version, waits for npm tarball availability, computes its SHA-256, and updates the ChangesHomebrew Release Workflow
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 140-141: The current .replace chain uses
.replace(/^(\s*sha256\s+).*$/m, ...) which can modify the first sha256 anywhere
in the file; change the second replace so it only targets the sha256 inside the
formula's source stanza instead of the first sha256 in the file. Concretely,
modify the .replace call that currently matches /^(\s*sha256\s+).*$/m (the
second replace in the chain that follows .replace(/^(\s*url\s+).*$/m,...)) to
first locate the "source" block and then replace the sha256 only within that
block (e.g., match the source stanza and replace the sha256 line inside it),
ensuring bottle checksums earlier in the file are not touched.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2b97a0d0-d1e3-4b00-96e3-c62204abf4e3
📒 Files selected for processing (1)
.github/workflows/release.yml
📜 Review details
🔇 Additional comments (2)
.github/workflows/release.yml (2)
61-75: Good output wiring and downstream gating.Exposing
published/publishedPackagesand gating the follow-up job on publish state is clean and avoids unnecessary tap updates.
98-117: Retry/backoff strategy for npm propagation looks solid.The bounded retry loop with connect/max-time limits is a good reliability guard for registry lag.
| .replace(/^(\s*url\s+).*$/m, `$1"${process.env.URL}"`) | ||
| .replace(/^(\s*sha256\s+).*$/m, `$1"${process.env.SHA}"`); |
There was a problem hiding this comment.
Scope the checksum replacement to the source stanza (not first sha256).
On Line 141, ^(\s*sha256\s+).*$/m mutates the first sha256 in the file. If the formula later includes bottle checksums earlier, this can update the wrong field and produce a broken bump PR.
Suggested fix
- const next = src
- .replace(/^(\s*url\s+).*$/m, `$1"${process.env.URL}"`)
- .replace(/^(\s*sha256\s+).*$/m, `$1"${process.env.SHA}"`);
+ const next = src.replace(
+ /(^\s*url\s+)"[^"]+"(\n\s*sha256\s+)"[^"]+"/m,
+ `$1"${process.env.URL}"$2"${process.env.SHA}"`
+ );🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 140 - 141, The current .replace
chain uses .replace(/^(\s*sha256\s+).*$/m, ...) which can modify the first
sha256 anywhere in the file; change the second replace so it only targets the
sha256 inside the formula's source stanza instead of the first sha256 in the
file. Concretely, modify the .replace call that currently matches
/^(\s*sha256\s+).*$/m (the second replace in the chain that follows
.replace(/^(\s*url\s+).*$/m,...)) to first locate the "source" block and then
replace the sha256 only within that block (e.g., match the source stanza and
replace the sha256 line inside it), ensuring bottle checksums earlier in the
file are not touched.
1 participant
Summary
Adds a
bump-homebrew-tapjob to.github/workflows/release.yml. It runs after thereleasejob onmainand, ifreadieis inpublishedPackages:https://registry.npmjs.org/readie/-/readie-<version>.tgz(with retry while the registry catches up).inthhq/homebrew-tapupdatingFormula/readie.rb'surlandsha256to the new version.Tap CI then runs
brew audit --strict --onlineandbrew test readieagainst the change before the PR can be merged. The companion PR addingFormula/readie.rbto the tap isinthhq/homebrew-tap#2.The
releasejob'soutputsblock was added so the new job can readpublishedPackages.Required secret
Before merging, add a repo secret named
TAP_GITHUB_TOKEN:inthhq/homebrew-tapContents: write,Pull requests: writeThe default
GITHUB_TOKENcannot push to another repository, which is why a dedicated PAT is required.Test plan
TAP_GITHUB_TOKENto repo secrets.inthhq/homebrew-tap#2first soFormula/readie.rbexists.readieand confirm a bump PR appears atinthhq/homebrew-tapwith the correcturl+sha256.brew install,brew test,brew audit --strict --online) passes against the bump PR.Made with Cursor