Capa/.github/workflows/release-homebrew.yml at master · a-hariti/Capa · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Release + Homebrew
# Maintainer notes:
# - Required secret in this repo: HOMEBREW_TAP_TOKEN
#   Token must be able to push to the tap repository.
# - Optional repo variable: HOMEBREW_TAP_REPO (format: owner/repo)
# - If HOMEBREW_TAP_REPO is unset, default tap is <repo-owner>/homebrew-capa.

on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      version:
        description: "Version without leading v (e.g. 0.2.0)"
        required: true

permissions:
  contents: write

jobs:
  publish:
    runs-on: macos-15
    env:
      BIN_NAME: capa
      REPO_OWNER: ${{ github.repository_owner }}
      REPO_NAME: ${{ github.event.repository.name }}
      TAP_REPO: ${{ vars.HOMEBREW_TAP_REPO }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Resolve version
        id: version
        shell: bash
        run: |
          set -euo pipefail
          if [[ "${{ github.event_name }}" == "release" ]]; then
            tag="${{ github.event.release.tag_name }}"
            version="${tag#v}"
          else
            version="${{ inputs.version }}"
            tag="v${version}"
          fi
          echo "tag=$tag" >> "$GITHUB_OUTPUT"
          echo "version=$version" >> "$GITHUB_OUTPUT"

      - name: Build release binary
        shell: bash
        run: swift build -c release

      - name: Validate CLI version matches release version
        shell: bash
        run: |
          set -euo pipefail
          expected="${{ steps.version.outputs.version }}"
          actual="$(.build/release/${BIN_NAME} --version | tr -d '[:space:]')"
          if [[ "$actual" != "$expected" ]]; then
            echo "Version mismatch: binary reports '$actual' but release expects '$expected'." >&2
            exit 1
          fi

      - name: Package artifact
        id: package
        shell: bash
        run: |
          set -euo pipefail
          version="${{ steps.version.outputs.version }}"
          artifact="${BIN_NAME}-v${version}-macos-arm64.tar.gz"
          mkdir -p dist
          cp ".build/release/${BIN_NAME}" "dist/${BIN_NAME}"
          tar -C dist -czf "dist/${artifact}" "${BIN_NAME}"
          sha=$(shasum -a 256 "dist/${artifact}" | awk '{print $1}')
          echo "artifact=$artifact" >> "$GITHUB_OUTPUT"
          echo "sha256=$sha" >> "$GITHUB_OUTPUT"

      - name: Upload release asset
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ steps.version.outputs.tag }}
          files: dist/${{ steps.package.outputs.artifact }}
          fail_on_unmatched_files: true
          generate_release_notes: false

      - name: Select tap repo
        id: tap
        shell: bash
        run: |
          set -euo pipefail
          # Allow overriding the tap repo via Actions variable.
          tap_repo="${TAP_REPO}"
          if [[ -z "$tap_repo" ]]; then
            # Default tap naming convention for this project.
            tap_repo="${REPO_OWNER}/homebrew-capa"
          fi
          echo "repo=$tap_repo" >> "$GITHUB_OUTPUT"

      - name: Update Homebrew tap formula
        shell: bash
        env:
          # PAT used to clone/push the tap repository.
          GH_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
        run: |
          set -euo pipefail
          if [[ -z "${GH_TOKEN}" ]]; then
            echo "HOMEBREW_TAP_TOKEN is not set; skipping tap update." >&2
            exit 1
          fi

          tag="${{ steps.version.outputs.tag }}"
          version="${{ steps.version.outputs.version }}"
          artifact="${{ steps.package.outputs.artifact }}"
          sha="${{ steps.package.outputs.sha256 }}"
          tap_repo="${{ steps.tap.outputs.repo }}"
          asset_url="https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download/${tag}/${artifact}"

          temp_dir="$(mktemp -d)"
          trap 'rm -rf "$temp_dir"' EXIT

          git clone "https://x-access-token:${GH_TOKEN}@github.com/${tap_repo}.git" "$temp_dir/tap"
          mkdir -p "$temp_dir/tap/Formula"

          scripts/generate_homebrew_formula.sh "$version" "$asset_url" "$sha" > "$temp_dir/tap/Formula/capa.rb"

          pushd "$temp_dir/tap" > /dev/null
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add Formula/capa.rb
          if git diff --cached --quiet; then
            echo "No formula changes to commit."
            exit 0
          fi
          git commit -m "capa ${version}"
          git push origin HEAD
          popd > /dev/null