From 64a3128ee7e8f6fa379b840f8b44cba7d3e6cd2b Mon Sep 17 00:00:00 2001
From: Christopher Burns <christopher@inth.com>
Date: Mon, 11 May 2026 18:13:16 -0700
Subject: [PATCH] ci(release): bump homebrew-tap formula on leadtype publish

Adds a `bump-homebrew-tap` job to the release workflow that fires after
a successful npm publish on `main`. When `leadtype` is in
`publishedPackages`, it downloads the new tarball from
`registry.npmjs.org`, computes its sha256, and opens a PR against
`inthhq/homebrew-tap` updating `Formula/leadtype.rb`'s `url` and `sha256`.

Tap CI then runs `brew audit --strict --online` and `brew test leadtype`
against the change before the PR can be merged.

Requires repo secret TAP_GITHUB_TOKEN: a fine-grained PAT scoped to
inthhq/homebrew-tap with Contents: write and Pull requests: write
(GITHUB_TOKEN cannot push to another repository).

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/release.yml | 111 ++++++++++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ef051ca..0b6fef6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -69,3 +69,114 @@ jobs:
         run: |
           echo "Published: ${{ steps.changesets.outputs.published }}"
           echo "Published packages: ${{ steps.changesets.outputs.publishedPackages }}"
+
+    outputs:
+      published: ${{ steps.changesets.outputs.published }}
+      publishedPackages: ${{ steps.changesets.outputs.publishedPackages }}
+
+  # Opens a PR against inthhq/homebrew-tap whenever a new leadtype version is
+  # published to npm. Requires repository secret TAP_GITHUB_TOKEN: a
+  # fine-grained personal access token scoped to inthhq/homebrew-tap with
+  # Contents: write and Pull requests: write.
+  bump-homebrew-tap:
+    name: Bump Homebrew tap
+    needs: release
+    if: |
+      needs.release.outputs.published == 'true' &&
+      github.repository == 'inthhq/leadtype'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Extract published leadtype version
+        id: version
+        env:
+          PUBLISHED: ${{ needs.release.outputs.publishedPackages }}
+        run: |
+          set -euo pipefail
+          VERSION="$(node -e '
+            const pkgs = JSON.parse(process.env.PUBLISHED || "[]");
+            const hit = pkgs.find(p => p.name === "leadtype");
+            if (!hit) { process.exit(0); }
+            process.stdout.write(hit.version);
+          ')"
+          if [ -z "$VERSION" ]; then
+            echo "leadtype not in publishedPackages; nothing to bump."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Wait for npm tarball to be served and compute sha256
+        id: sha
+        if: steps.version.outputs.skip != 'true'
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          set -euo pipefail
+          URL="https://registry.npmjs.org/leadtype/-/leadtype-${VERSION}.tgz"
+          for i in 1 2 3 4 5 6 7 8 9 10; do
+            if curl -fSL --connect-timeout 10 --max-time 60 "$URL" -o leadtype.tgz; then
+              break
+            fi
+            echo "Attempt $i: tarball not ready yet, sleeping..."
+            sleep $((i * 6))
+          done
+          test -s leadtype.tgz
+          SHA="$(shasum -a 256 leadtype.tgz | awk '{print $1}')"
+          echo "sha256=$SHA" >> "$GITHUB_OUTPUT"
+          echo "url=$URL" >> "$GITHUB_OUTPUT"
+
+      - name: Check out homebrew-tap
+        if: steps.version.outputs.skip != 'true'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: inthhq/homebrew-tap
+          token: ${{ secrets.TAP_GITHUB_TOKEN }}
+          path: homebrew-tap
+
+      - name: Update formula
+        if: steps.version.outputs.skip != 'true'
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+          URL: ${{ steps.sha.outputs.url }}
+          SHA: ${{ steps.sha.outputs.sha256 }}
+        run: |
+          set -euo pipefail
+          cd homebrew-tap
+          node -e '
+            const fs = require("node:fs");
+            const path = "Formula/leadtype.rb";
+            const src = fs.readFileSync(path, "utf8");
+            const next = src
+              .replace(/^(\s*url\s+).*$/m, `$1"${process.env.URL}"`)
+              .replace(/^(\s*sha256\s+).*$/m, `$1"${process.env.SHA}"`);
+            if (next === src) {
+              console.error("Formula did not change; refusing to commit.");
+              process.exit(1);
+            }
+            fs.writeFileSync(path, next);
+          '
+          git diff -- Formula/leadtype.rb
+
+      - name: Create pull request
+        if: steps.version.outputs.skip != 'true'
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
+        with:
+          path: homebrew-tap
+          token: ${{ secrets.TAP_GITHUB_TOKEN }}
+          branch: bump-leadtype-${{ steps.version.outputs.version }}
+          base: main
+          commit-message: "leadtype ${{ steps.version.outputs.version }}"
+          title: "leadtype ${{ steps.version.outputs.version }}"
+          body: |
+            Bump `leadtype` to `${{ steps.version.outputs.version }}`.
+
+            - tarball: ${{ steps.sha.outputs.url }}
+            - sha256: `${{ steps.sha.outputs.sha256 }}`
+
+            Auto-generated by [inthhq/leadtype](https://github.com/inthhq/leadtype) release pipeline. Tap CI will run `brew audit --strict --online` and `brew test leadtype` against this change before it can be merged.
+          delete-branch: true
+          labels: |
+            automated
+            release