Add custom-tap cask updater and workflow

[allenhouchins]

This pull request introduces a new GitHub Actions workflow to automate the updating of custom Homebrew tap casks. The workflow is designed to periodically update cask versions, open a pull request with the changes, and manage any existing related pull requests to keep the repository up to date with minimal manual intervention.

Automation of custom-tap cask updates:

• Added a new workflow file .github/workflows/update-custom-tap-casks.yml that runs every 4 hours and can also be triggered manually. This workflow checks out the repository, sets up Go, runs the cask updater, and creates a pull request with any changes.

Pull request management:

• The workflow searches for any open pull requests titled "Update custom-tap casks" created by the automation bot and closes them in favor of the latest update, ensuring only one active update PR is open at a time.

Security and reliability improvements:

• Uses the step-security/harden-runner action to audit outbound network connections for improved security during workflow execution.
• Sets appropriate permissions for each job and step to follow the principle of least privilege, reducing the risk of unauthorized repository changes.

Summary by CodeRabbit

• Chores
  • Added automated workflow for updating and maintaining custom tap cask versions on a scheduled basis.
  • Implemented support for manual triggering and automated PR management for cask updates.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 246 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.66%. Comparing base (ad5bb8a) to head (75291f4).

Files with missing lines	Patch %	Lines
cmd/maintained-apps-custom-tap-updater/main.go	0.00%	246 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #45611      +/-   ##
==========================================
- Coverage   66.75%   66.66%   -0.09%     
==========================================
  Files        2745     2744       -1     
  Lines      219361   219564     +203     
  Branches    10840    10796      -44     
==========================================
- Hits       146438   146382      -56     
- Misses      59695    59955     +260     
+ Partials    13228    13227       -1     

Flag	Coverage Δ
backend	68.49% <0.00%> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[allenhouchins]

@claude review once

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

Adds an automated, scheduled mechanism to keep the custom Homebrew tap casks (fleet-desktop, xcreds, druva-insync, zoom-rooms) in ee/maintained-apps/inputs/homebrew/custom-tap/ in sync with their upstream versions. A new Go command performs the version checks, downloads the artifact to compute the sha256, and rewrites the .rb and api/*.json pair without requiring Homebrew (so it can run on Linux). A new GitHub Actions workflow runs the updater every 4 hours, opens a PR with the diff, and closes any prior open auto-PRs.

Changes:

• New cmd/maintained-apps-custom-tap-updater/main.go with per-app upstream checkers and rb/json patchers.
• New scheduled workflow .github/workflows/update-custom-tap-casks.yml that runs the updater and opens/closes PRs via peter-evans/create-pull-request and actions/github-script.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 6 comments.

File	Description
cmd/maintained-apps-custom-tap-updater/main.go	Implements the Linux-friendly cask updater: version checks, anchored rb rewrites, json round-trip, sha256 recompute.
.github/workflows/update-custom-tap-casks.yml	Scheduled GitHub Actions workflow that invokes the updater and manages the resulting PRs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Walkthrough

This PR adds automated updates for Homebrew custom-tap cask versions. A new GitHub Actions workflow (runs every 4 hours and on manual trigger) orchestrates a Go command that checks upstream sources for each configured app (fleet-desktop, xcreds, druva-insync, zoom-rooms), downloads installer assets, computes SHA256 hashes, and updates both the cask Ruby manifest (version and sha256 anchors) and its JSON metadata file. The workflow queries for existing matching PRs, closes them, and opens a new PR with the updates using peter-evans/create-pull-request.

Possibly related PRs

• fleetdm/fleet#44961: Updates fleet-desktop cask sha256 and api/fleet-desktop.json checksums to version 1.2.0, which the new updater automates for all custom-tap casks.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.73% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description explains the automation features and security improvements but doesn't follow the repository's required template structure with checklists.	Follow the repository's PR description template with required checklist sections (changes files, security validation, testing, database migrations, etc.).

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a custom-tap cask updater tool and its GitHub Actions workflow.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch allenhouchins-update-custom-tap

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-custom-tap-casks.yml:
- Around line 30-32: The workflow step named "Get current date and time" (id:
date) uses the deprecated set-output command; replace it by writing the output
key/value to the GITHUB_OUTPUT environment file instead: produce the timestamp
with date +'%y%m%d%H%M' and append a line like date=<timestamp> to the file
referenced by the GITHUB_OUTPUT environment variable so the step still exposes
an output named "date". Ensure the step keeps id: date and remove the deprecated
::set-output invocation.
- Around line 34-40: The checkout step using
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 currently sets ref:
${{ github.head_ref }}, which is empty for schedule and workflow_dispatch runs;
update that ref to an explicit branch (e.g., ref: main) in the Checkout Fleet
step so scheduled and manual runs check out the correct code when creating PRs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: efaf7f52-8124-4682-b1b0-ddc822ab356f

📥 Commits

Reviewing files that changed from the base of the PR and between 1f49678 and dcfdce2.

📒 Files selected for processing (3)

• .github/workflows/update-custom-tap-casks.yml
• cmd/maintained-apps-custom-tap-updater/main.go
• maintained-apps-custom-tap-updater