Skip to content

Commit 6490cb1

Browse files
committed
Release: auto-bump the Homebrew tap so brew upgrade users get new versions
The fallback shipping channel is a personal tap (`vdavid/homebrew-tap`) until `vdavid/cmdr` clears Homebrew's 225-star notability bar. A new `bump-tap` job (after `publish`) keeps that tap current: - Skips cleanly when `HOMEBREW_TAP_TOKEN` is absent, so the tap stays a fallback channel and never blocks a release. - Computes the universal DMG's sha256 from the published `Cmdr_<version>_universal.dmg` release asset (the pipeline ships no checksum file to trust). - Clones the tap with the token, rewrites only the `version` and `sha256` lines in `Casks/cmdr.rb`, commits as `cmdr <version>`, and pushes. - Follows the workflow-hardening conventions (SHA-pinned `actions/checkout`, job-scoped permissions).
1 parent 8b2909a commit 6490cb1

1 file changed

Lines changed: 52 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -261,3 +261,55 @@ jobs:
261261
-H "Content-Type: application/json" \
262262
-H "X-Hub-Signature-256: sha256=$SIGNATURE" \
263263
-d "$PAYLOAD"
264+
265+
bump-tap:
266+
name: Bump Homebrew tap
267+
needs: [publish]
268+
runs-on: ubuntu-latest
269+
270+
steps:
271+
- name: Bump the cask in vdavid/homebrew-tap
272+
env:
273+
# Fine-grained PAT with contents read+write on vdavid/homebrew-tap only.
274+
# When absent (e.g. a fork or before the secret is created), skip cleanly:
275+
# the tap is a fallback channel, not part of the release contract.
276+
HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
277+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
278+
TAG: ${{ github.ref_name }}
279+
run: |
280+
set -euo pipefail
281+
282+
if [ -z "${HOMEBREW_TAP_TOKEN:-}" ]; then
283+
echo "HOMEBREW_TAP_TOKEN absent; skipping tap bump (tap is a fallback channel)."
284+
exit 0
285+
fi
286+
287+
VERSION="${TAG#v}"
288+
289+
# Compute the universal DMG's sha256 from the published release asset itself,
290+
# not from any pre-existing checksum file (the pipeline ships none).
291+
DMG="Cmdr_${VERSION}_universal.dmg"
292+
# -R is required: this job has no checkout, so gh has no repo context to infer.
293+
gh release download "$TAG" -R "$GITHUB_REPOSITORY" -p "$DMG" -D /tmp/tap-dmg
294+
SHA256=$(shasum -a 256 "/tmp/tap-dmg/$DMG" | cut -d' ' -f1)
295+
echo "Universal DMG sha256: $SHA256"
296+
297+
# Clone the tap with the token and rewrite ONLY the version + sha256 lines.
298+
git clone "https://x-access-token:${HOMEBREW_TAP_TOKEN}@github.com/vdavid/homebrew-tap.git" /tmp/homebrew-tap
299+
CASK="/tmp/homebrew-tap/Casks/cmdr.rb"
300+
301+
sed -i -E "s|^( version \").*(\")|\1${VERSION}\2|" "$CASK"
302+
sed -i -E "s|^( sha256 \").*(\")|\1${SHA256}\2|" "$CASK"
303+
304+
cd /tmp/homebrew-tap
305+
git config user.name "github-actions[bot]"
306+
git config user.email "github-actions[bot]@users.noreply.github.com"
307+
308+
if git diff --quiet; then
309+
echo "Cask already at version ${VERSION} with this sha256; nothing to bump."
310+
exit 0
311+
fi
312+
313+
git add Casks/cmdr.rb
314+
git commit -m "cmdr ${VERSION}"
315+
git push origin HEAD

0 commit comments

Comments
 (0)