Pre-building bottles or otherwise "hooking" into the pipeline to attest executables

[heaths]

Output of brew config

HOMEBREW_VERSION: 4.6.16
ORIGIN: https://github.com/Homebrew/brew
HEAD: 999134536e623073ea9b2a8954eeea5898137239
Last commit: 7 days ago
Branch: stable
Core tap JSON: 10 Oct 17:44 UTC
HOMEBREW_PREFIX: /home/linuxbrew/.linuxbrew
HOMEBREW_BROWSER: wslview
HOMEBREW_CASK_OPTS: []
HOMEBREW_DISPLAY: :0
HOMEBREW_EDITOR: hx
HOMEBREW_FORBID_PACKAGES_FROM_PATHS: set
HOMEBREW_MAKE_JOBS: 12
Homebrew Ruby: 3.4.5 => /home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/vendor/portable-ruby/3.4.5/bin/ruby
CPU: dodeca-core 64-bit arm
Clang: N/A
Git: 2.43.0 => /bin/git
Curl: 8.5.0 => /bin/curl
Kernel: Linux 6.6.87.2-microsoft-standard-WSL2 aarch64 GNU/Linux
OS: Ubuntu 24.04.3 LTS (noble)
WSL: 2 (Microsoft Store)
Host glibc: 2.39
Host libstdc++: 6.0.33
/usr/bin/gcc: 13.3.0
/usr/bin/ruby: N/A
glibc: N/A
gcc@12: N/A
gcc: N/A
xorg: N/A

Also applicable for macOS

Output of brew doctor

NA

Description of issue

I'm using GitHub attestation for executables and their tarballs that contain them for provenance. I already build all the platforms Homebrew/linuxbrew would need for bottles; yet, using brew bump-formula-pr doesn't seem to give me a way to specify bottles I've already built and attested, so brew builds the binaries.

Currently, all my executables are built and published in https://github.com/heaths/akv-cli-rs. As of a couple releases ago, the tarballs - and soon the executables therein - are attested. I have a workflow that kicks off when a release is published and creates a PR in https://github.com/heaths/homebrew-tap, which was created from a template for taps and customized only a little afterward to add linux aarch64 support.

My bottles are defined in https://github.com/heaths/homebrew-tap/blob/main/Formula/akv.rb, but after reading through relevant docs a few times, I'm not even sure what the hash represents. It's not the hash of the containers stored in Packages for that repo. Is there a way I can just give it URLs to pre-built and attested tarballs? It's my own tap so I'm not really concerned about what homebrew/homebrew-core supports, though it would be nice to keep that a possibility.

I've resigned to the fact that, if possible in a formulate (if nothing else, I could just write my own support in the install func or something), I probably can't use brew bump-formula-pr but I'd like to try to stick with the intended flow. Is there any other way to "hook" the build process to inject commands like attesting binaries? Obviously this would only work for bottles built for the formula.

[botantony]

If you just want to distribute precompiled binaries, it would be easier to just use casks instead of formulae. Casks support Linux, you can check wizcli for an inspiration

[heaths]

Thanks. I'll read up on those. Ideally, I'd like to support people compiling their own e.g., linuxbrew still doesn't officially support aarch64 so if I did upload to the default homebrew/core tap users would. But, if I have amd64 and arm64 covered across the spectrum, that's probably sufficient anyway.

[SMillerDev]

If you have pre compiled binaries, your users would never have to compile them themselves. If you want to support both cases you can always make something like a project-sourcebuild formula. That way users can pick which method they want.

[heaths]

I meant for architectures I didn't precompile. Off hand, since I cover the major ones, I doubt there's much and it's not like it's a popular tool; this is somewhat academic.

[p-linnane]

Given that Homebrew requires an Apple Silicon CPU or 64-bit Intel CPU to run, I'm not sure what other architectures you'd even be able to support.