ci: call homebrew-bump as reusable workflow instead of PAT event propagation (#53)
Reverts PR #44's approach of swapping GITHUB_TOKEN for a PAT on action-gh-release. That approach worked in principle but failed in practice during the v0.10.2 cut: HOMEBREW_TAP_GITHUB_TOKEN is a fine-grained PAT scoped only to razvandimescu/homebrew-tap, so when action-gh-release tried to create a release on razvandimescu/numa it got 403 Resource not accessible. v0.10.2 had to be recovered manually via `gh release create` from a user PAT. Root cause of the original bug (from #44): GitHub Actions deliberately does not propagate workflow events triggered by GITHUB_TOKEN, so a release created by GITHUB_TOKEN silently failed to fire homebrew-bump's `release: published` trigger. Fix: sidestep the event-propagation rule entirely by invoking homebrew-bump.yml directly as a reusable workflow via `workflow_call`. - release.yml: drop the `token:` override on action-gh-release (reverts to GITHUB_TOKEN default, which v0.10.0 and v0.10.1 used successfully) and add a new `bump-homebrew` job that `needs: release` and `uses:` homebrew-bump.yml with `secrets: inherit`. - homebrew-bump.yml: add `workflow_call` trigger with a `version` input, remove the `release: published` trigger (no longer needed), keep `workflow_dispatch` for manual recovery, and collapse the version determination step to a single `inputs.version` read. Each token now does exactly what its scope permits: - GITHUB_TOKEN creates the release on numa (contents: write, default) - HOMEBREW_TAP_GITHUB_TOKEN pushes to homebrew-tap (unchanged) The tap update becomes a child job in the release run, so failures are visible in one place instead of "why didn't the release event fire?" mysteries. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit was merged in pull request #53.
This commit is contained in:
Razvan Dimescu
17
.github/workflows/homebrew-bump.yml
vendored
17
.github/workflows/homebrew-bump.yml
vendored
@@ -1,8 +1,12 @@
|
||||
name: Bump Homebrew Tap
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_call:
|
||||
inputs:
|
||||
version:
|
||||
description: 'Version to bump (e.g. 0.10.0 or v0.10.0)'
|
||||
type: string
|
||||
required: true
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
version:
|
||||
@@ -20,13 +24,10 @@ jobs:
|
||||
|
||||
- name: Determine version
|
||||
id: ver
|
||||
env:
|
||||
INPUT_VERSION: ${{ inputs.version }}
|
||||
run: |
|
||||
if [ "${{ github.event_name }}" = "release" ]; then
|
||||
V="${{ github.event.release.tag_name }}"
|
||||
else
|
||||
V="${{ github.event.inputs.version }}"
|
||||
fi
|
||||
V="${V#v}"
|
||||
V="${INPUT_VERSION#v}"
|
||||
echo "version=$V" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Fetch sha256 checksums from release assets
|
||||
|
||||
Reference in New Issue
Block a user