ci: harden release pipeline and add homebrew bump workflow

inureyes · inureyes · commit bbc5777828d7 · 2026-05-18T14:41:14.000+09:00
- release.yml: default-deny top-level perms with job-level grants,
  github.repository guard against fork workflow_dispatch, and
  persist-credentials=false on every checkout step to avoid leaking
  GITHUB_TOKEN into .git/config on the self-hosted runner pool.

- pipeline-parallel-ci.yml: fork PR guard on both jobs
  (two-host-logical and three-host-real-model) so canonical
  self-hosted runners and the CI fixture release stay accessible only
  to in-org pull requests and workflow_dispatch runs.

- update_homebrew_formula.yml: new workflow ported from
  lablup/all-smi that updates Formula/mlxcel.rb on lablup/homebrew-tap
  after each Release completes (workflow_run) or via
  workflow_dispatch. Scopes the brew artifact to
  mlxcel-macos-aarch64.zip (Linux CUDA variants stay raw release
  assets), aborts on undersized downloads, and is gated to
  lablup/mlxcel via the same repository guard pattern.
diff --git a/.github/workflows/pipeline-parallel-ci.yml b/.github/workflows/pipeline-parallel-ci.yml
@@ -78,6 +78,15 @@ jobs:
   two-host-logical:
     name: 2-host logical (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
+    # Public-mirror guard: skip on forks. PRs opened from a fork would
+    # otherwise execute fork-author code against this canonical repository's
+    # GITHUB_TOKEN and CI fixture release, which we intentionally disallow on
+    # the public release mirror. Internal PRs (head repo == this repo) and
+    # `workflow_dispatch` still run normally.
+    if: >-
+      github.repository == 'lablup/mlxcel' &&
+      (github.event_name != 'pull_request' ||
+        github.event.pull_request.head.repo.full_name == github.repository)
     strategy:
       fail-fast: false
       matrix:
@@ -88,6 +97,9 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          # Don't leave GITHUB_TOKEN in .git/config; CI jobs only fetch.
+          persist-credentials: false
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
@@ -194,10 +206,13 @@ jobs:
     # stays queued until the runner becomes available or the PR is
     # updated — it does not auto-fail.
     if: |
-      (github.event_name == 'pull_request' &&
-        contains(github.event.pull_request.labels.*.name, 'ci:pp-three-host')) ||
-      (github.event_name == 'workflow_dispatch' &&
-        github.event.inputs.run_three_host == 'true')
+      github.repository == 'lablup/mlxcel' && (
+        (github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository &&
+          contains(github.event.pull_request.labels.*.name, 'ci:pp-three-host')) ||
+        (github.event_name == 'workflow_dispatch' &&
+          github.event.inputs.run_three_host == 'true')
+      )
     runs-on:
       - self-hosted
       - pp-three-host
@@ -213,6 +228,9 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          # Don't leave GITHUB_TOKEN in .git/config; CI jobs only fetch.
+          persist-credentials: false
 
       - name: Resolve model root
         id: model
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,8 +9,8 @@ on:
         description: 'Release tag to upload artifacts to (e.g. v0.1.0)'
         required: false
 
-permissions:
-  contents: write
+# Default-deny top-level permissions; each job grants only what it needs.
+permissions: {}
 
 jobs:
   # ============================================================================
@@ -21,13 +21,24 @@ jobs:
     runs-on: self-hosted-macos-26-arm64 # Self-hosted Apple Silicon runner with macOS 26 SDK + Metal 4
     environment: packaging
     timeout-minutes: 90
+    # Block forks from invoking this workflow against the canonical self-hosted
+    # runner pool. `workflow_dispatch` can be triggered from any branch the
+    # actor has push access to, so this guard is the last line of defense
+    # against a forked copy of the repo dispatching a build with the
+    # canonical-org runner labels.
+    if: github.repository == 'lablup/mlxcel'
+    permissions:
+      contents: write
 
     env:
       MACOSX_DEPLOYMENT_TARGET: "14.0"
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          # Don't leave GITHUB_TOKEN in .git/config; release jobs only fetch.
+          persist-credentials: false
 
       # Use persistent cache paths for self-hosted runner (outside workspace)
       - name: Setup persistent cache paths (self-hosted)
@@ -184,6 +195,9 @@ jobs:
     name: Build Linux ARM64 CUDA (${{ matrix.variant }})
     runs-on: GB10
     environment: packaging
+    if: github.repository == 'lablup/mlxcel'
+    permissions:
+      contents: write
 
     strategy:
       fail-fast: false
@@ -204,6 +218,9 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          # Don't leave GITHUB_TOKEN in .git/config; release jobs only fetch.
+          persist-credentials: false
 
       # Use persistent cache paths for self-hosted runner (outside workspace)
       - name: Setup persistent cache paths (self-hosted)
@@ -295,7 +312,7 @@ jobs:
   notify-teams:
     name: Notify Teams on release
     needs: [build-macos, build-linux-cuda]
-    if: github.event_name == 'release'
+    if: github.repository == 'lablup/mlxcel' && github.event_name == 'release'
     runs-on: ubuntu-latest
     permissions: {}
 
@@ -349,7 +366,7 @@ jobs:
   promote-release:
     name: Promote to full release
     needs: [build-macos, build-linux-cuda]
-    if: always() && github.event_name == 'release' && github.event.release.prerelease && needs.build-macos.result == 'success' && needs.build-linux-cuda.result == 'success'
+    if: always() && github.repository == 'lablup/mlxcel' && github.event_name == 'release' && github.event.release.prerelease && needs.build-macos.result == 'success' && needs.build-linux-cuda.result == 'success'
     runs-on: ubuntu-latest
     permissions:
       contents: write
diff --git a/.github/workflows/update_homebrew_formula.yml b/.github/workflows/update_homebrew_formula.yml
@@ -0,0 +1,112 @@
+name: Update Homebrew Formula
+
+# Adapted from lablup/all-smi's update_homebrew_formula.yml. mlxcel ships a
+# single brew-supported artifact (macOS Apple Silicon); the Linux CUDA
+# variants are hardware-specific and continue to be distributed only as raw
+# GitHub Release assets.
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: "Release tag (e.g. v0.0.27)"
+        required: false
+
+  workflow_run:
+    workflows: ["Release"]
+    types:
+      - completed
+
+# Default-deny top-level permissions; each job grants only what it needs.
+permissions: {}
+
+jobs:
+  update-homebrew:
+    name: Update Homebrew Formula
+    runs-on: macos-latest
+    environment: packaging
+    # Pin this job to the canonical public repository. `workflow_run` cannot
+    # be triggered from a fork's Release workflow (workflow_run only observes
+    # workflows defined on the default branch of the same repo), but
+    # `workflow_dispatch` can be invoked from any branch the actor has push
+    # access to. The repository guard removes that residual attack surface.
+    if: >-
+      github.repository == 'lablup/mlxcel' &&
+      (github.event_name == 'workflow_dispatch' ||
+        github.event.workflow_run.conclusion == 'success')
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Install gnu-sed
+        run: brew install gnu-sed
+
+      - name: Determine version tag
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.release_tag }}" ]; then
+            echo "VERSION=${{ github.event.inputs.release_tag }}" >> $GITHUB_ENV
+          else
+            TAG=$(gh api repos/${{ github.repository }}/releases/latest --jq .tag_name)
+            echo "VERSION=$TAG" >> $GITHUB_ENV
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Clone Homebrew tap repository
+        env:
+          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+        run: |
+          git clone "https://x-access-token:${HOMEBREW_TAP_TOKEN}@github.com/lablup/homebrew-tap.git"
+          cd homebrew-tap
+          git config user.name "GitHub Action"
+          git config user.email "actions@github.com"
+
+      - name: Download release artifact and calculate SHA256
+        run: |
+          cd homebrew-tap
+          RAW_VERSION="${{ env.VERSION }}"
+          VERSION="${RAW_VERSION#v}"  # Strip leading 'v' if present
+          echo "VERSION_NO_V=$VERSION" >> $GITHUB_ENV
+
+          MAC_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/mlxcel-macos-aarch64.zip"
+
+          mkdir -p tmp
+          # -f: fail on HTTP errors (so a missing release surfaces here, not as
+          # a silent zero-byte artifact whose SHA256 ends up committed to the
+          # tap).
+          curl -fLs --retry 3 "$MAC_URL" -o tmp/mac.zip
+
+          # Sanity check: a non-zero file with a valid zip magic. mlxcel's
+          # macOS asset is around 60 MB at v0.0.27, so anything tiny is a
+          # release-pipeline regression and we abort before mutating the
+          # formula.
+          ACTUAL_SIZE=$(stat -f%z tmp/mac.zip)
+          if [ "$ACTUAL_SIZE" -lt 1048576 ]; then
+            echo "::error::Downloaded artifact is suspiciously small ($ACTUAL_SIZE B); aborting bump."
+            exit 1
+          fi
+
+          echo "mac_url=$MAC_URL" >> $GITHUB_ENV
+          echo "mac_sha=$(shasum -a 256 tmp/mac.zip | awk '{print $1}')" >> $GITHUB_ENV
+
+      - name: Update formula
+        run: |
+          cd homebrew-tap
+          VERSION="${{ env.VERSION_NO_V }}"
+
+          gsed -i "s/^  version .*/  version \"${VERSION}\"/" Formula/mlxcel.rb
+
+          gsed -i "s|https://github.com/.*/mlxcel-macos-aarch64.zip|${mac_url}|" Formula/mlxcel.rb
+          gsed -i "/mlxcel-macos-aarch64.zip\"/!b;n;c\      sha256 \"${mac_sha}\"" Formula/mlxcel.rb
+
+      - name: Commit and push changes to tap
+        run: |
+          cd homebrew-tap
+          if git diff --quiet Formula/mlxcel.rb; then
+            echo "Formula already up to date for v${{ env.VERSION_NO_V }} — nothing to push."
+            exit 0
+          fi
+          git add Formula/mlxcel.rb
+          git commit -m "bump: mlxcel to v${{ env.VERSION_NO_V }}"
+          git push origin main
