Skip to content

ci(release): auto-bump Homebrew tap formula on release#6

Merged
fank merged 1 commit into
mainfrom
claude/add-tap-bump
Apr 12, 2026
Merged

ci(release): auto-bump Homebrew tap formula on release#6
fank merged 1 commit into
mainfrom
claude/add-tap-bump

Conversation

@fank
Copy link
Copy Markdown
Member

@fank fank commented Apr 11, 2026

Summary

Pilots the Homebrew tap auto-bump integration on esq-cli (smallest blast radius of the three Go CLIs). Once validated on a real release, the same pattern fans out to atl-cli and n8n-cli.

What changes

  1. New post-release steps in release.yml:
    • Mint an ephemeral GitHub App token (scoped to homebrew-tap only)
    • Derive the bot committer identity from the App's user ID for proper commit attribution
    • Invoke dawidd6/action-homebrew-bump-formula@v7, which wraps brew bump-formula-pr --version=... — the native Homebrew command for multi-URL formulas
    • Marked continue-on-error: true so a tap-bump failure never breaks the release itself
  2. Release body gets a Homebrew install section at the top, since brew install enthus-appdev/tap/esq is now the intended default install path.

Why dawidd6 and not mislav/bump-homebrew-formula-action

Our tap formulas have four separate URLs (darwin-arm64, darwin-amd64, linux-arm64, linux-amd64) each with its own SHA256. The mislav action's download-url input accepts only one URL per invocation, so it would update 1 of 4 URLs and leave the other 3 stale — breaking brew install on 3 of 4 platforms.

dawidd6/action-homebrew-bump-formula runs brew bump-formula-pr --version= which natively substitutes the version into every URL in the formula, re-downloads each tarball, and computes all four fresh SHA256s in one pass. That's exactly what we need.

Auth

Uses the enthus-appdev-tap-bumper GitHub App (installed only on homebrew-tap, permissions: contents RW + pull-requests RW). Secrets are org-scoped to the 3 CLI repos only:

  • HOMEBREW_TAP_APP_ID
  • HOMEBREW_TAP_APP_PRIVATE_KEY

Tokens are minted ephemerally per run via actions/create-github-app-token@v2 — no long-lived PAT, no rotation burden, and the token is scoped to homebrew-tap only for the duration of the job.

Test plan

  • Workflow YAML is syntactically valid (checked locally with python3 -c 'import yaml; yaml.safe_load(...)')
  • Merge this PR
  • Cut the next esq-cli release (e.g., v1.1.1 or v1.2.0)
  • Verify: the tap bump step runs, produces a PR on enthus-appdev/homebrew-tap titled something like esq 1.1.1, with all 4 URLs + SHAs updated
  • Review/merge the auto-generated tap PR
  • Verify: brew upgrade enthus-appdev/tap/esq picks up the new version

Rollout plan

This is the pilot. Once the pipeline has been validated end-to-end on a real release, the same 3-step pattern gets copied (identically, with just the formula name changed) to:

  • enthus-appdev/atl-cli
  • enthus-appdev/n8n-cli

Each as a separate small PR.

@fank
ci(release): auto-bump Homebrew tap formula on release
9016762 
Adds a post-release step to automatically bump the esq formula in
enthus-appdev/homebrew-tap whenever a new version tag triggers a
release. This removes the manual step of editing Formula/esq.rb each
time and ensures the tap never drifts behind the CLI.

Implementation uses dawidd6/action-homebrew-bump-formula which wraps
Homebrew's `brew bump-formula-pr --version=...`. That command natively
handles multi-URL formulas (darwin-arm64 / darwin-amd64 / linux-arm64 /
linux-amd64), rewriting all four URLs and SHA256 checksums in a single
pass — the mislav/bump-homebrew-formula-action alternative only handles
one URL per invocation.

Authentication uses the `enthus-appdev-tap-bumper` GitHub App via
actions/create-github-app-token. The App is installed only on the
homebrew-tap repo with minimal permissions (contents: read/write,
pull-requests: read/write), scoped via org-level selected-repository
secrets. The bot committer identity is derived dynamically from the
App's user ID so commits are properly linked to the bot profile.

The step is marked continue-on-error so a tap-bump failure doesn't fail
the release itself — the release is the primary artifact and can be
re-bumped later if needed.

The release body now also mentions the Homebrew install path first, so
users discover the easiest install method.
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented Apr 11, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@fank fank merged commit 896b608 into main Apr 12, 2026
6 checks passed
@fank fank deleted the claude/add-tap-bump branch April 12, 2026 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fank