From b26739d151f6939b3066d1420b6ab13a1f3af0d1 Mon Sep 17 00:00:00 2001 From: Razvan Dimescu Date: Thu, 9 Apr 2026 23:29:40 +0300 Subject: [PATCH] ci: call homebrew-bump as reusable workflow instead of PAT event propagation Reverts PR #44's approach of swapping GITHUB_TOKEN for a PAT on action-gh-release. That approach worked in principle but failed in practice during the v0.10.2 cut: HOMEBREW_TAP_GITHUB_TOKEN is a fine-grained PAT scoped only to razvandimescu/homebrew-tap, so when action-gh-release tried to create a release on razvandimescu/numa it got 403 Resource not accessible. v0.10.2 had to be recovered manually via `gh release create` from a user PAT. Root cause of the original bug (from #44): GitHub Actions deliberately does not propagate workflow events triggered by GITHUB_TOKEN, so a release created by GITHUB_TOKEN silently failed to fire homebrew-bump's `release: published` trigger. Fix: sidestep the event-propagation rule entirely by invoking homebrew-bump.yml directly as a reusable workflow via `workflow_call`. - release.yml: drop the `token:` override on action-gh-release (reverts to GITHUB_TOKEN default, which v0.10.0 and v0.10.1 used successfully) and add a new `bump-homebrew` job that `needs: release` and `uses:` homebrew-bump.yml with `secrets: inherit`. - homebrew-bump.yml: add `workflow_call` trigger with a `version` input, remove the `release: published` trigger (no longer needed), keep `workflow_dispatch` for manual recovery, and collapse the version determination step to a single `inputs.version` read. Each token now does exactly what its scope permits: - GITHUB_TOKEN creates the release on numa (contents: write, default) - HOMEBREW_TAP_GITHUB_TOKEN pushes to homebrew-tap (unchanged) The tap update becomes a child job in the release run, so failures are visible in one place instead of "why didn't the release event fire?" mysteries. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/homebrew-bump.yml | 17 +++++++++-------- .github/workflows/release.yml | 15 +++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/homebrew-bump.yml b/.github/workflows/homebrew-bump.yml index 5bcac57..ad54e09 100644 --- a/.github/workflows/homebrew-bump.yml +++ b/.github/workflows/homebrew-bump.yml @@ -1,8 +1,12 @@ name: Bump Homebrew Tap on: - release: - types: [published] + workflow_call: + inputs: + version: + description: 'Version to bump (e.g. 0.10.0 or v0.10.0)' + type: string + required: true workflow_dispatch: inputs: version: @@ -20,13 +24,10 @@ jobs: - name: Determine version id: ver + env: + INPUT_VERSION: ${{ inputs.version }} run: | - if [ "${{ github.event_name }}" = "release" ]; then - V="${{ github.event.release.tag_name }}" - else - V="${{ github.event.inputs.version }}" - fi - V="${V#v}" + V="${INPUT_VERSION#v}" echo "version=$V" >> "$GITHUB_OUTPUT" - name: Fetch sha256 checksums from release assets diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3396667..00cc427 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -103,16 +103,15 @@ jobs: - name: Create Release uses: softprops/action-gh-release@v2 with: - # Use a PAT (not the default GITHUB_TOKEN) so the resulting - # `release: published` event propagates to downstream workflows - # like homebrew-bump.yml. Events triggered by GITHUB_TOKEN are - # deliberately not propagated by GitHub Actions to prevent - # infinite loops; PAT-authored events are the documented escape - # hatch. Reusing HOMEBREW_TAP_GITHUB_TOKEN (already a PAT used - # by homebrew-bump.yml itself) keeps the secret surface flat. - token: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }} generate_release_notes: true files: | *.tar.gz *.zip *.sha256 + + bump-homebrew: + needs: release + uses: ./.github/workflows/homebrew-bump.yml + with: + version: ${{ github.ref_name }} + secrets: inherit -- 2.34.1