rubocops: Add HTTP URL check for formulae and casks

[p-linnane]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?

---

After some internal discussion we've decided to no longer allow HTTP URLs in Homebrew/core and Homebrew/cask. This doesn't include mirrors since we often use them for bootstrapping.

This should produce numerous failures right now, but it'll allow us to review them.

[Copilot]

Pull request overview

This PR adds RuboCop rules to disallow HTTP URLs (http://) in Homebrew/core and Homebrew/cask repositories, while allowing HTTP for mirror URLs in formulae since they may be needed for bootstrapping.

Key changes:

• Adds HttpUrls cop for formulae to detect and auto-correct http:// URLs to https://
• Extends cask URL cop to detect and auto-correct http:// URLs to https://
• Both cops only apply to homebrew-core and homebrew-cask taps respectively

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
Library/Homebrew/rubocops/urls.rb	Adds new HttpUrls FormulaCop that flags http:// URLs in homebrew-core formulae (excluding mirrors) and provides auto-correction to https://
Library/Homebrew/rubocops/cask/url.rb	Extends the existing Url cop to check for http:// URLs in homebrew-cask and provides auto-correction to https://
Library/Homebrew/test/rubocops/urls/http_spec.rb	Adds comprehensive test coverage for the new formula HttpUrls cop including offense detection, auto-correction, tap filtering, and mirror URL exclusion
Library/Homebrew/test/rubocops/cask/url_spec.rb	Adds test coverage for http:// URL detection in casks including offense detection, auto-correction, tap filtering, and https:// URL acceptance

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[daeho-ro]

Recently we got an error frequently,

Top 3 slowest examples (535.28 seconds, 58.1% of total time):
  Utils::Svn::remote_exists? when svn is available returns true when remote exists
    494.03 seconds ./test/utils/svn_spec.rb:49
  Homebrew::Cmd::Reinstall reinstalls a Formula
    23.6 seconds ./test/cmd/reinstall_spec.rb:10
  Homebrew::Cmd::InstallCmd when using a bottle installs a Formula
    17.65 seconds ./test/cmd/install_spec.rb:18

Top 3 slowest example groups:
  Utils::Svn
    82.45 seconds average (494.7 seconds / 6 examples) ./test/utils/svn_spec.rb:5
  Homebrew::Cmd::Reinstall
    12.3 seconds average (24.59 seconds / 2 examples) ./test/cmd/reinstall_spec.rb:7
  Homebrew::Cmd::InstallCmd
    9.68 seconds average (48.38 seconds / 5 examples) ./test/cmd/install_spec.rb:6

[cho-m]

Could exclude livecheck url from formula audit. This is implicitly done when using symbol (e.g. :homepage) and for cask audit.

[p-linnane]

There are 73 offenses in Homebrew/core currently. Excluding livecheck URLs brings it down to 48. I'm open to adding this, just not sure of the right way to do so.

[MikeMcQuaid]

@p-linnane What's blocking the other 48, out of interest?

[p-linnane]

Just going through and identifying other HTTPS sources. Sometimes Debian has them, albeit with a different checksum. Other times they're niche and don't really have any other options. I plan to dig in more over the coming days.

[cho-m]

I'm open to adding this, just not sure of the right way to do so.

Not sure on best option. Maybe trying to look at parent nodes to see if in livecheck block would be most accurate.

Easiest option may just be ignoring any url equal to livecheck url since we already have code that can extract livecheck url:

brew/Library/Homebrew/rubocops/urls.rb

Lines 21 to 25 in 7543440

	# Identify livecheck URLs, to skip some checks for them
	livecheck_url = if (livecheck = find_every_func_call_by_name(body_node, :livecheck).first) &&
	(livecheck_url = find_every_func_call_by_name(livecheck.parent, :url).first)
	string_content(parameters(livecheck_url).first)
	end