audit(github): prefer /archive/refs/tags urls over /archive

[chenrui333]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

followup mislav/bump-homebrew-formula-action#53

seeing couple of issues recently in homebrew-core for the artifact urls

[Bo98]

Good idea.

As is, this won't work with commit URLs like with LuaJIT, but you should be able to adjust the regex to exclude those types of URLs.

[chenrui333]

yeah, I will update all the urls later :)

[chenrui333]

Added a big PR to fix all the url formats, Homebrew/homebrew-core#152092

passed my style check in my local brew style homebrew/core

[chenrui333]

should be good to go

[MikeMcQuaid]

Would be nice to write an autocorrect for this if possible?

[chenrui333]

any example of doing autocorrect?

[MikeMcQuaid]

brew/Library/Homebrew/rubocops/homepage.rb

Line 46 in 121fc59

corrector.replace(homepage_parameter_node.source_range, "\"#{homepage}/\"")

Can wait till a follow-up PR but, if it's not too hard: autocorrects are always nice to have.

[chenrui333]

👍

[chenrui333]

rebased to latest master after Homebrew/homebrew-core#152092 merge

[chenrui333]

The current audit failures are due to the repo removal issues for hashpump and nethacked

/home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-core/Formula/h/hashpump.rb:4:3: C: FormulaAudit/Urls: Use /archive/refs/tags URLs for GitHub tarballs (url is https://github.com/bwall/HashPump/archive/v1.2.0.tar.gz).
  url "https://github.com/bwall/HashPump/archive/v1.2.0.tar.gz"
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-core/Formula/n/nethacked.rb:24:3: C: FormulaAudit/Urls: Use /archive/refs/tags URLs for GitHub tarballs (url is https://github.com/nethacked/nethacked/archive/1.0.tar.gz).
  url "https://github.com/nethacked/nethacked/archive/1.0.tar.gz"

[Bo98]

You will need to change them still. Can do it in separate PRs to make it obvious it's not tested (though the orginal URL is broken anyway so it doesn't matter much).

[chenrui333]

I see, let me update those two then.

[chenrui333]

Should be good now.

[MikeMcQuaid]

I'm happy to merge when @Bo98 is ✅

[mahrud]

This PR broke using a branch archive for head builds. What I mean is that this:

  head do
    url "https://github.com/Macaulay2/M2/archive/refs/heads/master.tar.gz"
  end

Now gives an error: (see for instance this build)

Formula/macaulay2.rb:24:5: C: FormulaAudit/Urls: Use /archive/refs/tags URLs for GitHub tarballs (url is https://github.com/Macaulay2/M2/archive/refs/heads/master.tar.gz).
    url "https://github.com/Macaulay2/M2/archive/refs/heads/master.tar.gz"
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is only relevant for --HEAD builds, where I think it's important to allow getting the latest commits from a branch before they are tagged.

I think the original rationale for preferring archive/refs/tags urls makes sense, but since there can be no confusion with archive/refs/heads urls, I don't see a reason to disallow the latter.

[Bo98]

Yeah we should update the regex to exclude refs/heads - that makes sense to me.

[MikeMcQuaid]

Yeah we should update the regex to exclude refs/heads - that makes sense to me.

@chenrui333 can you do this? Thanks!

[mahrud]

I opened #16155 to address this for now.