ci(release): bump homebrew-tap formula on leadtype publish#33
Open
BurnedChris wants to merge 1 commit into
Open
ci(release): bump homebrew-tap formula on leadtype publish#33BurnedChris wants to merge 1 commit into
BurnedChris wants to merge 1 commit into
Conversation
Adds a `bump-homebrew-tap` job to the release workflow that fires after a successful npm publish on `main`. When `leadtype` is in `publishedPackages`, it downloads the new tarball from `registry.npmjs.org`, computes its sha256, and opens a PR against `inthhq/homebrew-tap` updating `Formula/leadtype.rb`'s `url` and `sha256`. Tap CI then runs `brew audit --strict --online` and `brew test leadtype` against the change before the PR can be merged. Requires repo secret TAP_GITHUB_TOKEN: a fine-grained PAT scoped to inthhq/homebrew-tap with Contents: write and Pull requests: write (GITHUB_TOKEN cannot push to another repository). Co-authored-by: Cursor <cursoragent@cursor.com>
📝 WalkthroughWalkthroughThe release workflow is extended to expose ChangesHomebrew Tap Publication Automation
Sequence DiagramsequenceDiagram
participant Release as Release Job
participant BumpJob as bump-homebrew-tap Job
participant NPM as npm Registry
participant GitHub as GitHub API
participant HBTap as homebrew-tap Repo
Release->>BumpJob: published, publishedPackages
BumpJob->>BumpJob: Extract leadtype version
BumpJob->>NPM: Download tarball (with retries)
NPM-->>BumpJob: Tarball
BumpJob->>BumpJob: Compute SHA-256
BumpJob->>GitHub: Checkout inthhq/homebrew-tap
GitHub-->>BumpJob: Repo clone
BumpJob->>BumpJob: Update Formula/leadtype.rb
BumpJob->>GitHub: Commit & push to versioned branch
BumpJob->>GitHub: Create PR with metadata
GitHub-->>BumpJob: PR created
Note over BumpJob,GitHub: Branch auto-deletes after merge
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 147-158: The script currently only verifies the file changed
generally; update it to assert that both replacements happened by checking that
the updated content contains both process.env.URL and process.env.SHA (e.g.,
after creating next from src via the two .replace calls, verify
next.includes(process.env.URL) && next.includes(process.env.SHA)); if either
check fails, write an error (mention which replacement failed) to stderr and
exit(1). Use the existing variables (path, src, next, process.env.URL,
process.env.SHA) and fail unless both replacements are present.
- Around line 118-126: The retry loop currently only checks that leadtype.tgz is
non-empty before computing SHA, which can allow partial downloads; modify the
loop around the curl calls to remove any existing leadtype.tgz before each
attempt (rm -f leadtype.tgz), set a success flag (e.g., CURL_SUCCESS=0/1) when
curl succeeds and break, and after the loop explicitly fail (exit 1) if the
success flag is not set; only run test -s and compute SHA="$(shasum -a 256
leadtype.tgz | awk '{print $1}')" when the curl success flag indicates a
successful full download.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 1e455090-fd70-49ae-8867-9df2ee39307d
📒 Files selected for processing (1)
.github/workflows/release.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Analyze (javascript-typescript)
Comment on lines
+118
to
+126
| for i in 1 2 3 4 5 6 7 8 9 10; do | ||
| if curl -fSL --connect-timeout 10 --max-time 60 "$URL" -o leadtype.tgz; then | ||
| break | ||
| fi | ||
| echo "Attempt $i: tarball not ready yet, sleeping..." | ||
| sleep $((i * 6)) | ||
| done | ||
| test -s leadtype.tgz | ||
| SHA="$(shasum -a 256 leadtype.tgz | awk '{print $1}')" |
There was a problem hiding this comment.
Fail explicitly on incomplete downloads, not just empty files.
test -s leadtype.tgz only proves the file is non-empty. A failed curl can still leave a partial tarball behind, so this block may compute a SHA-256 for truncated content and open a broken tap PR. Track whether any retry actually succeeded and clear the file before each attempt.
Suggested fix
URL="https://registry.npmjs.org/leadtype/-/leadtype-${VERSION}.tgz"
+ downloaded=false
for i in 1 2 3 4 5 6 7 8 9 10; do
+ rm -f leadtype.tgz
if curl -fSL --connect-timeout 10 --max-time 60 "$URL" -o leadtype.tgz; then
+ downloaded=true
break
fi
echo "Attempt $i: tarball not ready yet, sleeping..."
sleep $((i * 6))
done
- test -s leadtype.tgz
+ $downloaded || { echo "Tarball was never downloaded successfully"; exit 1; }
SHA="$(shasum -a 256 leadtype.tgz | awk '{print $1}')"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 118 - 126, The retry loop
currently only checks that leadtype.tgz is non-empty before computing SHA, which
can allow partial downloads; modify the loop around the curl calls to remove any
existing leadtype.tgz before each attempt (rm -f leadtype.tgz), set a success
flag (e.g., CURL_SUCCESS=0/1) when curl succeeds and break, and after the loop
explicitly fail (exit 1) if the success flag is not set; only run test -s and
compute SHA="$(shasum -a 256 leadtype.tgz | awk '{print $1}')" when the curl
success flag indicates a successful full download.
Comment on lines
+147
to
+158
| node -e ' | ||
| const fs = require("node:fs"); | ||
| const path = "Formula/leadtype.rb"; | ||
| const src = fs.readFileSync(path, "utf8"); | ||
| const next = src | ||
| .replace(/^(\s*url\s+).*$/m, `$1"${process.env.URL}"`) | ||
| .replace(/^(\s*sha256\s+).*$/m, `$1"${process.env.SHA}"`); | ||
| if (next === src) { | ||
| console.error("Formula did not change; refusing to commit."); | ||
| process.exit(1); | ||
| } | ||
| fs.writeFileSync(path, next); |
There was a problem hiding this comment.
Assert that both formula fields were replaced.
This script only checks whether the file changed at all. If Formula/leadtype.rb drifts and one regex no longer matches, the workflow can still commit a partial update with a new url but stale sha256 (or vice versa). Fail unless both replacements are applied.
Suggested fix
node -e '
const fs = require("node:fs");
const path = "Formula/leadtype.rb";
const src = fs.readFileSync(path, "utf8");
+ let replacedUrl = false;
+ let replacedSha = false;
const next = src
- .replace(/^(\s*url\s+).*$/m, `$1"${process.env.URL}"`)
- .replace(/^(\s*sha256\s+).*$/m, `$1"${process.env.SHA}"`);
- if (next === src) {
- console.error("Formula did not change; refusing to commit.");
+ .replace(/^(\s*url\s+).*$/m, (_, prefix) => {
+ replacedUrl = true;
+ return `${prefix}"${process.env.URL}"`;
+ })
+ .replace(/^(\s*sha256\s+).*$/m, (_, prefix) => {
+ replacedSha = true;
+ return `${prefix}"${process.env.SHA}"`;
+ });
+ if (!replacedUrl || !replacedSha) {
+ console.error("Expected url and sha256 fields were not both found.");
+ process.exit(1);
+ }
+ if (next === src) {
+ console.error("Formula did not change; refusing to commit.");
process.exit(1);
}
fs.writeFileSync(path, next);
'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 147 - 158, The script currently
only verifies the file changed generally; update it to assert that both
replacements happened by checking that the updated content contains both
process.env.URL and process.env.SHA (e.g., after creating next from src via the
two .replace calls, verify next.includes(process.env.URL) &&
next.includes(process.env.SHA)); if either check fails, write an error (mention
which replacement failed) to stderr and exit(1). Use the existing variables
(path, src, next, process.env.URL, process.env.SHA) and fail unless both
replacements are present.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
bump-homebrew-tapjob to.github/workflows/release.yml. It runs after thereleasejob onmainand, ifleadtypeis inpublishedPackages:https://registry.npmjs.org/leadtype/-/leadtype-<version>.tgz(with retry while the registry catches up).inthhq/homebrew-tapupdatingFormula/leadtype.rb'surlandsha256to the new version.Tap CI then runs
brew audit --strict --onlineandbrew test leadtypeagainst the change before the PR can be merged. The companion PR addingFormula/leadtype.rbto the tap isinthhq/homebrew-tap#2.The
releasejob'soutputsblock was added so the new job can readpublishedPackages.Required secret
Before merging, add a repo secret named
TAP_GITHUB_TOKEN:inthhq/homebrew-tapContents: write,Pull requests: writeThe default
GITHUB_TOKENcannot push to another repository, which is why a dedicated PAT is required.Test plan
TAP_GITHUB_TOKENto repo secrets.inthhq/homebrew-tap#2first soFormula/leadtype.rbexists.leadtypeand confirm a bump PR appears atinthhq/homebrew-tapwith the correcturl+sha256.brew install,brew test,brew audit --strict --online) passes against the bump PR.Made with Cursor