Fix Homebrew CI and add automated release workflow

[sbryngelson]

User description

User description

Summary

• Fix homebrew.yml to use correct tap prefix (mflowcode/test/mfc instead of mfc)
• Add homebrew-release.yml to automate formula updates when new version tags are pushed
• Update formula to v5.2.0 to match homebrew-mfc tap

Details

Bug fix (homebrew.yml)

The test step was using $(brew --prefix mfc) but the formula is installed from a temporary tap as mflowcode/test/mfc. This caused the "Test MFC installation" step to fail.

New release workflow (homebrew-release.yml)

When a new v* tag is pushed:

1. Computes SHA256 of the release tarball
2. Updates the formula in MFlowCode/homebrew-mfc
3. Pushes to homebrew-mfc, which triggers bottle.yml to build bottles

Supports workflow_dispatch with dry-run option for manual testing.

Test plan

• Tested homebrew.yml fix on sbryngelson/MFC fork - passed
• PR triggers homebrew-release.yml to validate workflow (with secrets access)

Generated with Claude Code

---

PR Type

Enhancement, Bug fix

---

Description

• Fix Homebrew CI test to use correct tap-qualified formula name

• Add automated release workflow to update formula on version tags

• Update MFC formula to v5.2.0 with new SHA256 hash

• Support manual testing via workflow_dispatch with dry-run option

---

Diagram Walkthrough

flowchart LR
  A["Version Tag Pushed"] --> B["homebrew-release.yml"]
  C["Manual Trigger"] --> B
  D["PR Test"] --> B
  B --> E["Compute SHA256"]
  E --> F["Update Formula"]
  F --> G["Push to homebrew-mfc"]
  G --> H["Trigger bottle.yml"]
  I["homebrew.yml Fix"] --> J["Use Correct Tap Name"]
  J --> K["Pass Installation Tests"]

Loading

File Walkthrough

	Relevant files
Configuration changes	mfc.rb Update formula to v5.2.0                                                                  packaging/homebrew/mfc.rb Update version from v5.1.5 to v5.2.0 Update SHA256 hash to match new release tarball +2/-2
Enhancement	homebrew-release.yml Add automated Homebrew formula release workflow                    .github/workflows/homebrew-release.yml New workflow triggered on version tags, manual dispatch, and PR changes Automatically computes SHA256 of release tarball and validates URL Updates formula in homebrew-mfc tap and removes old bottle blocks Supports dry-run mode for testing and PR test mode with limited permissions Includes comprehensive validation and summary reporting +187/-0
Bug fix	homebrew.yml Fix Homebrew CI test with correct tap prefix                          .github/workflows/homebrew.yml Fix test step to use tap-qualified formula name mflowcode/test/mfc Replace hardcoded brew --prefix mfc with variable $MFC_PREFIX Update uninstall step to remove both formula and tap Improve code formatting and consistency with proper quoting +23/-17

---

---

CodeAnt-AI Description

Fix Homebrew CI tests, update formula to v5.2.0, and add automated Homebrew release workflow

What Changed

• Homebrew formula updated to v5.2.0 with the new SHA256 so installs reference the latest release.
• CI test steps now check and uninstall the tap-qualified formula (mflowcode/test/mfc), fixing failures when the formula is installed from the temporary tap; tests verify binaries, venv, examples, and run a sample case.
• Added a GitHub Actions workflow that, on a v* tag or manual trigger, computes the release tarball SHA256, updates the formula in the homebrew-mfc tap (replaces URL and SHA, removes bottle block), and can commit and push the change; the workflow supports dry-run and a PR test mode that validates version parsing and SHA computation without using repository secrets.

Impact

✅ Fewer CI Homebrew test failures
✅ Automated Homebrew formula updates on tagged releases
✅ Safer PR testing of release automation without exposing secrets

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Rate limit exceeded

@sbryngelson has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 28 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch brewfix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

To fix this, explicitly set least‑privilege GITHUB_TOKEN permissions in the workflow. This workflow does not need to write to the current repository or to issues/PRs; it only needs to read repository contents (and uses a separate PAT secret for pushing to homebrew-mfc). Therefore, the safest fix is to add a top‑level permissions: block with contents: read. Placing it at the root (next to name and on) applies to all jobs, including update-homebrew-tap, without changing any behavior.

Concretely:

• Edit .github/workflows/homebrew-release.yml.

• After the existing name: Update Homebrew Formula on Release line, insert:

  permissions:
    contents: read

No additional methods, imports, or other definitions are needed; this is a pure configuration change in the workflow file.

[qodo-code-review]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Possible Issue The SHA computation streams curl directly into sha256sum without set -euo pipefail (or equivalent checks). If curl fails mid-stream or is interrupted, the pipeline can still yield a hash of partial content and proceed. Consider hard-failing on download errors (e.g., curl -fL --retry ... -o file then sha256sum file) and/or enabling pipefail. - name: Compute SHA256 of release tarball id: sha256 run: | VERSION="${{ steps.version.outputs.version }}" URL="https://github.com/MFlowCode/MFC/archive/refs/tags/v${VERSION}.tar.gz" echo "Downloading tarball from: $URL" # Verify URL is reachable HTTP_CODE=$(curl -sI -w "%{http_code}" -o /dev/null "$URL") if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "302" ]]; then echo "::error::Release tarball not found at $URL (HTTP $HTTP_CODE)" echo "::error::Make sure the tag v${VERSION} exists and the release is published" exit 1 fi # Compute SHA256 SHA256=$(curl -sL "$URL" | sha256sum | awk '{print $1}') if [[ -z "$SHA256" || "$SHA256" == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ]]; then echo "::error::Failed to compute SHA256 (empty file or download failed)" exit 1 fi echo "sha256=$SHA256" >> "$GITHUB_OUTPUT" echo "SHA256: $SHA256" Fragile Logic The awk deletion of the bottle block removes lines between bottle do and the next end that matches the same indentation, but it does not actually match nested Ruby structure; it will also remove any other end encountered while in_bottle is true, which could behave unexpectedly if formatting/indentation changes in the formula. Consider using a more robust range deletion (e.g., track indentation explicitly, or use a Ruby-aware approach), and add a validation that a bottle block was actually removed when expected. # Remove existing bottle block (new bottles will be built by bottle.yml) # This removes everything between "bottle do" and the matching "end" awk ' /^ bottle do/ { in_bottle=1; next } in_bottle && /^ end/ { in_bottle=0; next } !in_bottle { print } ' "$FORMULA" > "$FORMULA.tmp" && mv "$FORMULA.tmp" "$FORMULA" Duplication MFC_PREFIX is computed in multiple steps, and the binary existence checks still use $(brew --prefix)/bin/... while other checks use MFC_PREFIX. Consider centralizing prefix resolution (single step output/env) and consistently using MFC_PREFIX (with quoting) to avoid future tap/name mismatches and shell word-splitting issues. # Use the full tap-qualified name since we installed from mflowcode/test MFC_PREFIX="$(brew --prefix mflowcode/test/mfc)" echo "MFC prefix: $MFC_PREFIX" echo "1. Checking binaries exist and are executable..." test -f $(brew --prefix)/bin/mfc && test -x $(brew --prefix)/bin/mfc test -f $(brew --prefix)/bin/pre_process && test -x $(brew --prefix)/bin/pre_process test -f $(brew --prefix)/bin/simulation && test -x $(brew --prefix)/bin/simulation test -f $(brew --prefix)/bin/post_process && test -x $(brew --prefix)/bin/post_process echo " ✓ All binaries exist and are executable" echo "2. Verifying installation structure..." test -f "$MFC_PREFIX/libexec/mfc.sh" test -d "$MFC_PREFIX/toolchain" echo " ✓ Installation structure verified" echo "3. Checking Python venv..." test -d "$MFC_PREFIX/libexec/venv" test -f "$MFC_PREFIX/libexec/venv/bin/python" test -f "$MFC_PREFIX/libexec/venv/bin/pip" echo " ✓ Python venv exists" echo "4. Checking examples..." test -d "$MFC_PREFIX/examples" test -f "$MFC_PREFIX/examples/1D_sodshocktube/case.py" echo " ✓ Examples installed" echo "5. Testing mfc wrapper..." mfc --help echo " ✓ mfc --help succeeded" echo "=== All tests passed! ===" - name: Run MFC test case run: | echo "Running a simple test case (1D Sod shock tube)..." MFC_PREFIX="$(brew --prefix mflowcode/test/mfc)" TESTDIR=$(mktemp -d) cp "$MFC_PREFIX/examples/1D_sodshocktube/case.py" "$TESTDIR/" echo "Running with $(sysctl -n hw.ncpu) processors..." # Use absolute path and shorthand syntax (mfc auto-detects and prepends 'run') mfc "$TESTDIR/case.py" -j $(sysctl -n hw.ncpu) echo "Test case completed successfully!"

[qodo-code-review]

High-level Suggestion

Replace the brittle sed and awk commands used for modifying the Homebrew formula with a more robust Ruby script. This makes the release automation less likely to fail due to future formatting changes in the formula file. [High-level, importance: 8]

Solution Walkthrough:

Before:

# In .github/workflows/homebrew-release.yml
- name: Update formula
  run: |
    FORMULA="homebrew-mfc/Formula/mfc.rb"
    # Update URL with sed
    sed -i "s|url \"https...\"|url \"https...${VERSION}.tar.gz\"|" "$FORMULA"

    # Update SHA256 with awk, assuming it's after the url
    awk -v newsha="$SHA256" '
      /^  url "/ { found_url=1 }
      found_url && /^  sha256 "/ { ... sub(...) ... }
      { print }
    ' "$FORMULA" > "$FORMULA.tmp" && mv "$FORMULA.tmp" "$FORMULA"

    # Remove bottle block with awk
    awk '/^  bottle do/,/^  end/ { next } { print }' "$FORMULA" > ...

After:

# In .github/workflows/homebrew-release.yml
- name: Update formula
  run: |
    # Use a dedicated Ruby script for safer manipulation
    ruby ./path/to/update_formula.rb \
      --file="homebrew-mfc/Formula/mfc.rb" \
      --version="${{ steps.version.outputs.version }}" \
      --sha256="${{ steps.sha256.outputs.sha256 }}"

# In ./path/to/update_formula.rb (conceptual)
# ... Ruby code to parse arguments ...
content = File.read(formula_path)
# Use robust regex to replace url and sha256
content.sub!(/url "[^"]+"/, "url \"...v#{version}.tar.gz\"")
content.sub!(/sha256 "[^"]+"/, "sha256 \"#{sha256}\"")
# Remove bottle block
content.gsub!(/  bottle do\n(.+\n)+?  end\n/, "")
File.write(formula_path, content)

[qodo-code-review]

Suggestion: Instead of pushing directly to the main branch of the homebrew-mfc repository, modify the workflow to open a pull request with the proposed formula changes. [security, importance: 8]

Suggested change

	- name: Commit and push to homebrew-mfc
	if: ${{ github.event_name != 'pull_request' && github.event.inputs.dry_run != 'true' }}
	run: |
	cd homebrew-mfc
	VERSION="${{ steps.version.outputs.version }}"
	git config user.name "github-actions[bot]"
	git config user.email "github-actions[bot]@users.noreply.github.com"
	git add Formula/mfc.rb
	git commit -m "Update MFC to v${VERSION}"
	echo "Pushing to homebrew-mfc..."
	git push origin main
	echo "Successfully pushed formula update!"
	echo "The bottle.yml workflow in homebrew-mfc will now build bottles automatically."
	- name: Create Pull Request to homebrew-mfc
	if: ${{ github.event_name != 'pull_request' && github.event.inputs.dry_run != 'true' }}
	uses: peter-evans/create-pull-request@v6
	with:
	path: homebrew-mfc
	token: ${{ secrets.TAP_REPO_TOKEN }}
	commit-message: "Update MFC to v${{ steps.version.outputs.version }}"
	title: "Update MFC to v${{ steps.version.outputs.version }}"
	body: |
	Automated update of the `mfc` formula to version `${{ steps.version.outputs.version }}`.
	- **Version:** `${{ steps.version.outputs.version }}`
	- **SHA256:** `${{ steps.sha256.outputs.sha256 }}`
	This PR was generated automatically by the release workflow.
	branch: "release/mfc-v${{ steps.version.outputs.version }}"
	base: main
	delete-branch: true

[qodo-code-review]

Suggestion: In the test step, replace $(brew --prefix) with the tap-specific "$MFC_PREFIX" variable for all file and executable checks to ensure tests target the correct installation. [possible issue, importance: 7]

Suggested change

	MFC_PREFIX="$(brew --prefix mflowcode/test/mfc)"
	echo "MFC prefix: $MFC_PREFIX"
	echo "1. Checking binaries exist and are executable..."
	test -f $(brew --prefix)/bin/mfc && test -x $(brew --prefix)/bin/mfc
	MFC_PREFIX="$(brew --prefix mflowcode/test/mfc)"
	...
	test -f "$MFC_PREFIX/bin/mfc" && test -x "$MFC_PREFIX/bin/mfc"

[qodo-code-review]

Suggestion: Instead of hard-coding the version for pull request tests, dynamically extract the version from the packaging/homebrew/mfc.rb file. [general, importance: 6]

Suggested change

	elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
	# Use existing version for PR testing
	VERSION="5.2.0"
	echo "::notice::PR test mode - using version $VERSION"
	elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
	# Extract version from formula to avoid hard-coding
	VERSION=$(grep -Po 'refs/tags/v\K[0-9]+\.[0-9]+\.[0-9]+' packaging/homebrew/mfc.rb)
	echo "::notice::PR test mode - using version $VERSION (extracted from formula)"

[qodo-code-review]

Suggestion: Add set -euo pipefail to the beginning of multi-line run steps to enable stricter error handling in the bash scripts. [general, importance: 5]

Suggested change

	- name: Compute SHA256 of release tarball
	id: sha256
	run: |
	VERSION="${{ steps.version.outputs.version }}"
	URL="https://github.com/MFlowCode/MFC/archive/refs/tags/v${VERSION}.tar.gz"
	- name: Compute SHA256 of release tarball
	id: sha256
	run: |
	set -euo pipefail
	VERSION="${{ steps.version.outputs.version }}"
	URL="https://github.com/MFlowCode/MFC/archive/refs/tags/v${VERSION}.tar.gz"

[codeant-ai]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review Checksum validity The new sha256 must match the tarball at the specified tag URL. The release workflow that updates this formula must reliably compute and update this checksum. Verify the value matches the published tarball and that your CI/release workflow updates it automatically when new tags are created. Version inference The formula's URL points at a GitHub tag with a leading "v" (v5.2.0). Homebrew normally strips a leading "v" when deriving version, but if anything changes in how version is inferred (or if tools reading version.to_s expect a numeric-only form), downstream logic that relies on version (for example the env variables set later in the formula) could receive a string with a "v" prefix. Confirm version is the expected "5.2.0" and not "v5.2.0".

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Pull request overview

This PR fixes a bug in the Homebrew formula testing workflow and adds a new automated release workflow for updating the Homebrew formula when version tags are pushed. The changes update the formula version to v5.2.0 and ensure proper tap-qualified naming is used throughout the testing process.

Changes:

• Fixed homebrew.yml to use the correct tap-qualified prefix (mflowcode/test/mfc) when verifying the test installation
• Added homebrew-release.yml workflow to automatically update the formula in the homebrew-mfc tap when new v* tags are pushed
• Updated formula version from v5.1.5 to v5.2.0 with corresponding SHA256 hash

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

File	Description
packaging/homebrew/mfc.rb	Updates formula to v5.2.0 with new tarball URL and SHA256 hash
.github/workflows/homebrew.yml	Fixes tap prefix references to use mflowcode/test/mfc instead of mfc throughout test and cleanup steps
.github/workflows/homebrew-release.yml	New workflow to automate formula updates in homebrew-mfc tap when version tags are pushed, with PR testing and dry-run capabilities

[Copilot]

The dry run summary step will fail because it tries to cd homebrew-mfc, but the "Checkout homebrew-mfc tap" step (line 95-101) only runs when github.event_name != 'pull_request'. In dry-run mode during workflow_dispatch, the homebrew-mfc directory won't exist. The condition should also check that the directory was actually checked out.

Suggested change

	cd homebrew-mfc
	git diff Formula/mfc.rb
	if [ -d homebrew-mfc ]; then
	cd homebrew-mfc
	git diff Formula/mfc.rb
	else
	echo "::notice::homebrew-mfc tap directory not found; nothing to diff."
	fi

[Copilot]

The Summary step (lines 177-187) will run even in dry-run mode because its condition is github.event_name != 'pull_request', which includes workflow_dispatch dry runs. This will display "Homebrew Formula Updated" even though nothing was actually pushed in dry-run mode. Consider updating the condition to also exclude dry runs: github.event_name != 'pull_request' && github.event.inputs.dry_run != 'true'

Suggested change

	if: ${{ github.event_name != 'pull_request' }}
	if: ${{ github.event_name != 'pull_request' && github.event.inputs.dry_run != 'true' }}

[Copilot]

This workflow doesn't explicitly declare permissions at the workflow or job level. While it will inherit default permissions, explicitly declaring permissions is a security best practice. Consider adding permissions: contents: read at the workflow level to follow the principle of least privilege, similar to deploy-tap.yml line 20-21.

[Copilot]

The version validation regex ^[0-9]+\.[0-9]+\.[0-9]+$ only accepts semantic versions with exactly three numeric components (X.Y.Z). This doesn't support pre-release versions like 5.2.0-beta1 or 5.2.0-rc1. If MFC uses pre-release tags, this validation will reject them. Consider whether pre-release versions need to be supported, and if so, update the regex accordingly.

[Copilot]

Both deploy-tap.yml (line 17) and this new homebrew-release.yml workflow will trigger when a version tag is pushed. This could lead to a race condition where both workflows try to update the homebrew-mfc tap simultaneously. Consider:

1. Disabling tag handling in deploy-tap.yml by removing the create: trigger and adding a path filter to exclude tag events, or
2. Coordinating the two workflows so only one handles tag releases

The two workflows have different approaches: deploy-tap.yml updates the formula in this repo first then pushes to the tap, while homebrew-release.yml directly updates the tap repo. Having both active for tag events could cause conflicts.

[Copilot]

This workflow uses sha256sum which is the Linux version, but other workflows in this repository (deploy-tap.yml line 58 and homebrew.yml line 104) use shasum -a 256 instead. While both work on ubuntu-latest, using shasum would be more consistent with the existing codebase conventions and also more portable if the runner ever changes to macOS.

[Copilot]

The awk script to remove bottle blocks assumes the bottle block is indented with exactly two spaces (matching the pattern /^ bottle do/ and /^ end/). If the formula structure changes or uses different indentation, this could fail silently and leave the bottle block in place. Consider adding validation after this step to ensure the bottle block was removed, or use a more robust approach like checking for bottle do without the strict indentation requirement.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Misleading summary output during dry run mode

Low Severity

The "Summary" step runs when dry_run=true because its condition only checks github.event_name != 'pull_request', not the dry_run flag. This causes the job summary to incorrectly state "Homebrew Formula Updated" and "The bottle.yml workflow will now build bottles for this release" even though the push was skipped. The condition at line 178 needs to also exclude dry runs, similar to the commit/push step at line 151.

 

[cubic-dev-ai]

No issues found across 3 files