Skip to content

ci(release): bump homebrew-tap formula on leadtype publish #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BurnedChris wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci(release): bump homebrew-tap formula on leadtype publish #33

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 111 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,114 @@ jobs:
run: |
echo "Published: ${{ steps.changesets.outputs.published }}"
echo "Published packages: ${{ steps.changesets.outputs.publishedPackages }}"

outputs:
published: ${{ steps.changesets.outputs.published }}
publishedPackages: ${{ steps.changesets.outputs.publishedPackages }}

# Opens a PR against inthhq/homebrew-tap whenever a new leadtype version is
# published to npm. Requires repository secret TAP_GITHUB_TOKEN: a
# fine-grained personal access token scoped to inthhq/homebrew-tap with
# Contents: write and Pull requests: write.
bump-homebrew-tap:
name: Bump Homebrew tap
needs: release
if: |
needs.release.outputs.published == 'true' &&
github.repository == 'inthhq/leadtype'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Extract published leadtype version
id: version
env:
PUBLISHED: ${{ needs.release.outputs.publishedPackages }}
run: |
set -euo pipefail
VERSION="$(node -e '
const pkgs = JSON.parse(process.env.PUBLISHED || "[]");
const hit = pkgs.find(p => p.name === "leadtype");
if (!hit) { process.exit(0); }
process.stdout.write(hit.version);
')"
if [ -z "$VERSION" ]; then
echo "leadtype not in publishedPackages; nothing to bump."
echo "skip=true" >> "$GITHUB_OUTPUT"
exit 0
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"

- name: Wait for npm tarball to be served and compute sha256
id: sha
if: steps.version.outputs.skip != 'true'
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
set -euo pipefail
URL="https://registry.npmjs.org/leadtype/-/leadtype-${VERSION}.tgz"
for i in 1 2 3 4 5 6 7 8 9 10; do
if curl -fSL --connect-timeout 10 --max-time 60 "$URL" -o leadtype.tgz; then
break
fi
echo "Attempt $i: tarball not ready yet, sleeping..."
sleep $((i * 6))
done
test -s leadtype.tgz
SHA="$(shasum -a 256 leadtype.tgz | awk '{print $1}')"
Comment on lines +118 to +126
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail explicitly on incomplete downloads, not just empty files.

test -s leadtype.tgz only proves the file is non-empty. A failed curl can still leave a partial tarball behind, so this block may compute a SHA-256 for truncated content and open a broken tap PR. Track whether any retry actually succeeded and clear the file before each attempt.

Suggested fix 
           URL="https://registry.npmjs.org/leadtype/-/leadtype-${VERSION}.tgz"
+          downloaded=false
           for i in 1 2 3 4 5 6 7 8 9 10; do
+            rm -f leadtype.tgz
             if curl -fSL --connect-timeout 10 --max-time 60 "$URL" -o leadtype.tgz; then
+              downloaded=true
               break
             fi
             echo "Attempt $i: tarball not ready yet, sleeping..."
             sleep $((i * 6))
           done
-          test -s leadtype.tgz
+          $downloaded || { echo "Tarball was never downloaded successfully"; exit 1; }
           SHA="$(shasum -a 256 leadtype.tgz | awk '{print $1}')"
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 118 - 126, The retry loop
currently only checks that leadtype.tgz is non-empty before computing SHA, which
can allow partial downloads; modify the loop around the curl calls to remove any
existing leadtype.tgz before each attempt (rm -f leadtype.tgz), set a success
flag (e.g., CURL_SUCCESS=0/1) when curl succeeds and break, and after the loop
explicitly fail (exit 1) if the success flag is not set; only run test -s and
compute SHA="$(shasum -a 256 leadtype.tgz | awk '{print $1}')" when the curl
success flag indicates a successful full download.

echo "sha256=$SHA" >> "$GITHUB_OUTPUT"
echo "url=$URL" >> "$GITHUB_OUTPUT"

- name: Check out homebrew-tap
if: steps.version.outputs.skip != 'true'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: inthhq/homebrew-tap
token: ${{ secrets.TAP_GITHUB_TOKEN }}
path: homebrew-tap

- name: Update formula
if: steps.version.outputs.skip != 'true'
env:
VERSION: ${{ steps.version.outputs.version }}
URL: ${{ steps.sha.outputs.url }}
SHA: ${{ steps.sha.outputs.sha256 }}
run: |
set -euo pipefail
cd homebrew-tap
node -e '
const fs = require("node:fs");
const path = "Formula/leadtype.rb";
const src = fs.readFileSync(path, "utf8");
const next = src
.replace(/^(\s*url\s+).*$/m, `$1"${process.env.URL}"`)
.replace(/^(\s*sha256\s+).*$/m, `$1"${process.env.SHA}"`);
if (next === src) {
console.error("Formula did not change; refusing to commit.");
process.exit(1);
}
fs.writeFileSync(path, next);
Comment on lines +147 to +158
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Assert that both formula fields were replaced.

This script only checks whether the file changed at all. If Formula/leadtype.rb drifts and one regex no longer matches, the workflow can still commit a partial update with a new url but stale sha256 (or vice versa). Fail unless both replacements are applied.

Suggested fix 
           node -e '
             const fs = require("node:fs");
             const path = "Formula/leadtype.rb";
             const src = fs.readFileSync(path, "utf8");
+            let replacedUrl = false;
+            let replacedSha = false;
             const next = src
-              .replace(/^(\s*url\s+).*$/m, `$1"${process.env.URL}"`)
-              .replace(/^(\s*sha256\s+).*$/m, `$1"${process.env.SHA}"`);
-            if (next === src) {
-              console.error("Formula did not change; refusing to commit.");
+              .replace(/^(\s*url\s+).*$/m, (_, prefix) => {
+                replacedUrl = true;
+                return `${prefix}"${process.env.URL}"`;
+              })
+              .replace(/^(\s*sha256\s+).*$/m, (_, prefix) => {
+                replacedSha = true;
+                return `${prefix}"${process.env.SHA}"`;
+              });
+            if (!replacedUrl || !replacedSha) {
+              console.error("Expected url and sha256 fields were not both found.");
+              process.exit(1);
+            }
+            if (next === src) {
+              console.error("Formula did not change; refusing to commit.");
               process.exit(1);
             }
             fs.writeFileSync(path, next);
           '
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 147 - 158, The script currently
only verifies the file changed generally; update it to assert that both
replacements happened by checking that the updated content contains both
process.env.URL and process.env.SHA (e.g., after creating next from src via the
two .replace calls, verify next.includes(process.env.URL) &&
next.includes(process.env.SHA)); if either check fails, write an error (mention
which replacement failed) to stderr and exit(1). Use the existing variables
(path, src, next, process.env.URL, process.env.SHA) and fail unless both
replacements are present.

'
git diff -- Formula/leadtype.rb

- name: Create pull request
if: steps.version.outputs.skip != 'true'
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
with:
path: homebrew-tap
token: ${{ secrets.TAP_GITHUB_TOKEN }}
branch: bump-leadtype-${{ steps.version.outputs.version }}
base: main
commit-message: "leadtype ${{ steps.version.outputs.version }}"
title: "leadtype ${{ steps.version.outputs.version }}"
body: |
Bump `leadtype` to `${{ steps.version.outputs.version }}`.

- tarball: ${{ steps.sha.outputs.url }}
- sha256: `${{ steps.sha.outputs.sha256 }}`

Auto-generated by [inthhq/leadtype](https://github.com/inthhq/leadtype) release pipeline. Tap CI will run `brew audit --strict --online` and `brew test leadtype` against this change before it can be merged.
delete-branch: true
labels: |
automated
release