brew.env does not support expansion or substitution

[dkav]

brew doctor output

Your system is ready to brew.

Verification

• My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update twice and am still able to reproduce my issue.
• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

HOMEBREW_VERSION: 4.1.12-8-gafbea15
ORIGIN: https://github.com/Homebrew/brew
HEAD: afbea15d5cc2129b03498ebcc5e96dc5641c8874
Last commit: 11 hours ago
Core tap origin: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 34507747b256bc8c174162d12708bb75cc9d5105
Core tap last commit: 17 minutes ago
Core tap branch: master
Core tap JSON: 24 Sep 01:37 UTC
HOMEBREW_PREFIX: /usr/local
HOMEBREW_AUTOREMOVE: set
HOMEBREW_BROWSER: open
HOMEBREW_CASK_OPTS: []
HOMEBREW_CLEANUP_MAX_AGE_DAYS: 14
HOMEBREW_DEVELOPER: set
HOMEBREW_EDITOR: /usr/local/bin/mvim
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_MAKE_JOBS: 8
HOMEBREW_NO_EMOJI: set
HOMEBREW_NO_ENV_HINTS: set
HOMEBREW_NO_INSTALL_FROM_API: set
HOMEBREW_NO_UPDATE_REPORT_NEW: set
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 2.6.10 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/2.6.10_1/bin/ruby
CPU: octa-core 64-bit ivybridge
Clang: 12.0.0 build 1200
Git: 2.42.0 => /usr/local/bin/git
Curl: 7.64.1 => /usr/bin/curl
macOS: 10.15.7-x86_64
CLT: 12.0.0.32.29
Xcode: N/A

What were you trying to do (and why)?

I was trying to setup brew.env in a similar fashion as my shell profile using expansion in the HOMEBREW_BUNDLE_FILE and substitution in the HOMEBREW_GITHUB_API_TOKEN.

HOMEBREW_BUNDLE_FILE=$HOME/.homebrew/Brewfile

HOMEBREW_GITHUB_API_TOKEN=$( cat ~/.token/homebrew_github_api_token )

What happened (include all command output)?

For HOMEBREW_BUNDLE_FILE=$HOME/.homebrew/Brewfile
Error: No such file or directory @ rb_sysopen - /Users/dkav/$HOME/.homebrew/Brewfile/

For HOMEBREW_GITHUB_API_TOKEN=$( cat ~/.token/homebrew_github_api_token ) the error was:
Error: GitHub API Error: Bad credentials
and the debug output:
\%\{http_code\} --header Authorization:\ token\ \$\(\ cat\ \~/.token/homebrew_github_api_token\ \)

What did you expect to happen?

For both HOMEBREW_BUNDLE_FILE and HOMEBREW_GITHUB_API_TOKEN I expected expansion and substitution respectively to work as in a standard Bash script.

Step-by-step reproduction instructions (by running brew commands)

For _HOMEBREW_BUNDLE_FILE_ I ran: 
`brew bundle dump --force`


For _HOMEBREW_GITHUB_API_TOKEN_ I ran:
`brew bump --verbose --open-pr whatsapp-legacy`

[apainintheneck]

This was done on purpose for security reasons. The original implementation used eval (#15787) but we later moved to using Bash builtins to help avoid potential security problems (#15821).

We should probably just try expanding environment variables in paths. That being said I don't think there is an easy way to do that without eval in Bash or Ruby. Python has a builtin method os.path.expandvars() that might work here if we ported it to Ruby (docs and code). There is also the envsubst method provided by GNU gettext but that's not available on MacOS and some Linux distros by default (man page and src). This is reasonably complex code that would take some time to port over though.

There also are probably some ways to escape/quote the Bash code to make eval less unsafe but I'm no Bash expert.

[MikeMcQuaid]

For HOMEBREW_BUNDLE_FILE=$HOME/.homebrew/Brewfile
Error: No such file or directory @ rb_sysopen - /Users/dkav/$HOME/.homebrew/Brewfile/

I think we could probably support ~/.homebrew/Brewfile easily enough if desired.

HOMEBREW_GITHUB_API_TOKEN=$( cat ~/.token/homebrew_github_api_token )

I don't think we can/should support running arbitrary commands in this situation, sorry.

This was done on purpose for security reasons. The original implementation used eval (#15787) but we later moved to using Bash builtins to help avoid potential security problems (#15821).

Agreed. I don't think it's worth making this more complex for that reason. If we want to add complexity: we should probably have a brew.json file eventually which lets you describe e.g. environment variable usage but without having to rely on an eval.

The solution for now I'd say is just to use your shell profile instead, sorry!

[dkav]

@MikeMcQuaid that's fine. Could the man page be updated to reflect the limitation. It would have helped me to have known.

[MikeMcQuaid]

@dkav Where would you expect to have found this information?

[dkav]

Somewhere around here:

brew/docs/Manpage.md

Line 2069 in f1d345a

`HOMEBREW_*` environment variables can also be set in Homebrew's environment

It's where I learned about brew.env.