fix(ci): repair Docker build and Homebrew formula bump in release workflow

[Andriy Knysh (aknysh)]

what

• Replace the flaky upstream install_kustomize.sh script in the Dockerfile with a direct download from GitHub Releases, pinned to kustomize v5.8.1
• Replace mislav/bump-homebrew-formula-action@v3 with dawidd6/action-homebrew-bump-formula@v7 (SHA-pinned) for the Homebrew formula bump step

why

• The kustomize install script has known bugs (kubernetes-sigs/kustomize#5562) causing tar extraction failures (tar: ./kustomize_v*_linux_amd64.tar.gz: Cannot open) during Docker image builds
• The mislav/bump-homebrew-formula-action is broken because GitHub now returns HTTP 303 instead of 302 for tarball redirects, and the action hardcodes statusCode == 302 (mislav/bump-homebrew-formula-action#340, open/unfixed)
• Both failures blocked the v1.219.0 release workflow (run #26131090357)

references

• https://github.com/cloudposse/atmos/actions/runs/26131090357/job/77908154273
• HEAD on GitHub tarball URL returns HTTP 303 (not 302) → 'unexpected HTTP 303 response' mislav/bump-homebrew-formula-action#340
• Installing through install_kustomize.sh is not working from v5.0.1 kubernetes-sigs/kustomize#5562

Summary by CodeRabbit

• Chores
  • Updated build and deployment infrastructure, including CI/CD workflow configuration and Docker build process improvements for enhanced reliability and maintainability.

[atmos-pro]

Tip

Atmos Pro  

No affected stacks workflow was detected for this pull request.
If this is expected, no action is needed.
Learn More. Ask AI.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

• .github/workflows/build.yml

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ae801624-e4b5-4e34-aed1-a5f570174b5f

📥 Commits

Reviewing files that changed from the base of the PR and between 3ae76cd and e611145.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• Dockerfile

---

📝 Walkthrough

Walkthrough

This PR updates two build infrastructure dependencies. The Homebrew formula bump step is upgraded to a newer action that handles GitHub HTTP redirects correctly, and the Kustomize installation is simplified by replacing a script with a direct pinned download with cross-architecture support.

Changes

Build and Release Infrastructure Updates

Layer / File(s)	Summary
Homebrew formula bump action upgrade .github/workflows/build.yml	Replaces mislav/bump-homebrew-formula-action@v3 with a pinned commit of dawidd6/action-homebrew-bump-formula to resolve HTTP 303 redirect handling, passing token and formula inputs with explanatory comments on the prior incompatibility.
Kustomize installation via direct download Dockerfile	Replaces the shell-based Kustomize installer with a pinned v5.8.1 direct download from GitHub releases, using TARGETPLATFORM for architecture selection (amd64/arm64), failing on unsupported platforms, and extracting to /usr/local/bin.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

patch

Suggested reviewers

• osterman

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main changes: fixing CI by repairing Docker build and Homebrew formula bump in the release workflow, which matches the core objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch aknysh/fix-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Andriy Knysh (aknysh)]

CodeRabbit (@coderabbitai) review if the changes in the PR are correct

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== Dockerfile ==="
cat Dockerfile

echo ""
echo "=== .github/workflows/build.yml ==="
cat .github/workflows/build.yml

Length of output: 5256

---

🌐 Web query:

kustomize v5.8.1 github release download URL format tar.gz linux amd64

Length of output: 6129

---

🌐 Web query:

dawidd6/action-homebrew-bump-formula v7 release SHA 1446dca236b0440c6f02723a3f14f13be2c04ab0

Length of output: 13353

---

🌐 Web query:

atmos cloudposse homebrew formula homebrew-core OR homebrew-tap location

Length of output: 12883

---

---

@aknysh Both changes look correct. Here's a breakdown:

---

Dockerfile — Kustomize install

Check	Result
kustomize v5.8.1 exists on GitHub Releases	✅ Confirmed — kustomize_v5.8.1_linux_amd64.tar.gz and kustomize_v5.8.1_linux_arm64.tar.gz exist
URL format (kustomize%2Fv${VERSION}/kustomize_v${VERSION}_linux_${ARCH}.tar.gz)	✅ Correct
tar xz -C /usr/local/bin extraction	✅ Correct — kustomize tarballs contain the binary at the archive root, so it lands directly at /usr/local/bin/kustomize
Architecture mapping (amd64/arm64 + error on unsupported)	✅ Correct and consistent with the Atmos install block below it

One minor note: the curl | tar pipeline has no checksum verification against checksums.txt. Not a blocker since the version is pinned, but worth being aware of.

---

Workflow — Homebrew formula bump

Check	Result
SHA 1446dca236b0440c6f02723a3f14f13be2c04ab0 matches v7	✅ Confirmed — multiple Dependabot PRs across repos reference this exact SHA as the v7 merge commit
formula: atmos — correct name	✅ Confirmed — formula lives at Homebrew/homebrew-core/Formula/a/atmos.rb
No tap input needed	✅ Correct — atmos is in homebrew-core, not a custom tap; the action defaults to homebrew/core
token: ${{ secrets.GH_BOT_TOKEN }}	✅ Correct — action requires a PAT with public_repo + workflow scopes, not GITHUB_TOKEN
Auto-detection of tag/revision	✅ In standard mode (triggered by release: published), the action pulls these automatically

The homebrew-core formula even has no_autobump! because: :bumped_by_upstream, confirming this workflow is the intended upstream bump mechanism.

---

Both fixes are solid. The PR correctly addresses the two root causes (kustomize script tar bug, and the HTTP 303 redirect issue with the old Homebrew action).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.56%. Comparing base (3ae76cd) to head (e611145).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2525      +/-   ##
==========================================
+ Coverage   78.54%   78.56%   +0.02%     
==========================================
  Files        1143     1143              
  Lines      109834   109834              
==========================================
+ Hits        86266    86288      +22     
+ Misses      18783    18757      -26     
- Partials     4785     4789       +4     

Flag	Coverage Δ
unittests	78.56% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[atmos-pro]

Tip

Atmos Pro  

No affected stacks workflow was detected for this pull request.
If this is expected, no action is needed.
Learn More. Ask AI.

[github-actions]

These changes were released in v1.220.0-rc.4.