b26739d151
Reverts PR #44's approach of swapping GITHUB_TOKEN for a PAT on action-gh-release. That approach worked in principle but failed in practice during the v0.10.2 cut: HOMEBREW_TAP_GITHUB_TOKEN is a fine-grained PAT scoped only to razvandimescu/homebrew-tap, so when action-gh-release tried to create a release on razvandimescu/numa it got 403 Resource not accessible. v0.10.2 had to be recovered manually via `gh release create` from a user PAT. Root cause of the original bug (from #44): GitHub Actions deliberately does not propagate workflow events triggered by GITHUB_TOKEN, so a release created by GITHUB_TOKEN silently failed to fire homebrew-bump's `release: published` trigger. Fix: sidestep the event-propagation rule entirely by invoking homebrew-bump.yml directly as a reusable workflow via `workflow_call`. - release.yml: drop the `token:` override on action-gh-release (reverts to GITHUB_TOKEN default, which v0.10.0 and v0.10.1 used successfully) and add a new `bump-homebrew` job that `needs: release` and `uses:` homebrew-bump.yml with `secrets: inherit`. - homebrew-bump.yml: add `workflow_call` trigger with a `version` input, remove the `release: published` trigger (no longer needed), keep `workflow_dispatch` for manual recovery, and collapse the version determination step to a single `inputs.version` read. Each token now does exactly what its scope permits: - GITHUB_TOKEN creates the release on numa (contents: write, default) - HOMEBREW_TAP_GITHUB_TOKEN pushes to homebrew-tap (unchanged) The tap update becomes a child job in the release run, so failures are visible in one place instead of "why didn't the release event fire?" mysteries. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
78 lines
2.3 KiB
YAML
78 lines
2.3 KiB
YAML
name: Bump Homebrew Tap
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
version:
|
|
description: 'Version to bump (e.g. 0.10.0 or v0.10.0)'
|
|
type: string
|
|
required: true
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Version to bump (e.g. 0.10.0 or v0.10.0)'
|
|
required: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
bump:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Determine version
|
|
id: ver
|
|
env:
|
|
INPUT_VERSION: ${{ inputs.version }}
|
|
run: |
|
|
V="${INPUT_VERSION#v}"
|
|
echo "version=$V" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Fetch sha256 checksums from release assets
|
|
id: shas
|
|
env:
|
|
V: ${{ steps.ver.outputs.version }}
|
|
run: |
|
|
set -euo pipefail
|
|
base="https://github.com/razvandimescu/numa/releases/download/v${V}"
|
|
for t in macos-aarch64 macos-x86_64 linux-aarch64 linux-x86_64; do
|
|
sha=$(curl -fsSL "${base}/numa-${t}.tar.gz.sha256" | awk '{print $1}')
|
|
if [ -z "$sha" ]; then
|
|
echo "ERROR: failed to fetch sha256 for $t" >&2
|
|
exit 1
|
|
fi
|
|
key=$(echo "$t" | tr '[:lower:]-' '[:upper:]_')
|
|
echo "SHA_${key}=${sha}" >> "$GITHUB_ENV"
|
|
done
|
|
|
|
- name: Clone homebrew-tap
|
|
env:
|
|
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
|
|
run: |
|
|
git clone "https://x-access-token:${HOMEBREW_TAP_GITHUB_TOKEN}@github.com/razvandimescu/homebrew-tap.git" tap
|
|
|
|
- name: Update formula
|
|
env:
|
|
VERSION: ${{ steps.ver.outputs.version }}
|
|
run: |
|
|
python3 scripts/update-homebrew-formula.py tap/numa.rb
|
|
echo "--- updated numa.rb ---"
|
|
cat tap/numa.rb
|
|
|
|
- name: Commit and push
|
|
working-directory: tap
|
|
env:
|
|
V: ${{ steps.ver.outputs.version }}
|
|
run: |
|
|
if git diff --quiet; then
|
|
echo "numa.rb already at v${V}, nothing to commit"
|
|
exit 0
|
|
fi
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
git add numa.rb
|
|
git commit -m "chore: bump numa to v${V}"
|
|
git push origin main
|