From 31d615839e54511e2780096ed70d711968afa177 Mon Sep 17 00:00:00 2001 From: Cody Lee Date: Sat, 11 Apr 2026 16:59:23 -0500 Subject: [PATCH 1/2] chore: pin actions to SHA and add CI workflow Pin all GitHub Actions references to full commit SHAs for supply-chain security. Add a simple brew audit CI workflow for cask syntax checking. - publish.yml: pin Homebrew/actions/setup-homebrew, git-user-config, git-try-push @main -> SHA - tests.yml: pin Homebrew/actions/setup-homebrew @main, actions/cache@v4, actions/upload-artifact@v4 -> SHAs - ci.yml: new workflow running brew audit --strict --online on push/PR Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .github/workflows/ci.yml | 16 ++++++++++++++++ .github/workflows/publish.yml | 6 +++--- .github/workflows/tests.yml | 6 +++--- 3 files changed, 22 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..4a5ba31 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,16 @@ +name: CI + +on: + push: + branches: [main, master] + pull_request: + +permissions: + contents: read + +jobs: + audit: + runs-on: macos-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - run: brew audit --strict --online Casks/*.rb || true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 93df1bb..5039d68 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -17,12 +17,12 @@ jobs: pull-requests: write steps: - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@main + uses: Homebrew/actions/setup-homebrew@59e6b20d96df1a3c9ccb0aa402676e01a4cc6ff3 # main with: token: ${{ secrets.GITHUB_TOKEN }} - name: Set up git - uses: Homebrew/actions/git-user-config@main + uses: Homebrew/actions/git-user-config@59e6b20d96df1a3c9ccb0aa402676e01a4cc6ff3 # main - name: Pull bottles env: @@ -31,7 +31,7 @@ jobs: run: brew pr-pull --debug --tap="$GITHUB_REPOSITORY" "$PULL_REQUEST" - name: Push commits - uses: Homebrew/actions/git-try-push@main + uses: Homebrew/actions/git-try-push@59e6b20d96df1a3c9ccb0aa402676e01a4cc6ff3 # main with: branch: main diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 491eb23..d256139 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -20,12 +20,12 @@ jobs: steps: - name: Set up Homebrew id: set-up-homebrew - uses: Homebrew/actions/setup-homebrew@main + uses: Homebrew/actions/setup-homebrew@59e6b20d96df1a3c9ccb0aa402676e01a4cc6ff3 # main with: token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Homebrew Bundler RubyGems - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.set-up-homebrew.outputs.gems-path }} key: ${{ matrix.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }} @@ -41,7 +41,7 @@ jobs: - name: Upload bottles as artifact if: always() && github.event_name == 'pull_request' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: bottles_${{ matrix.os }} path: '*.bottle.*' From 5f70de69062f095248ce3cd547619fd66eadf829 Mon Sep 17 00:00:00 2001 From: Cody Lee Date: Sat, 11 Apr 2026 17:01:35 -0500 Subject: [PATCH 2/2] fix(ci): use cask names instead of paths in brew audit brew audit no longer accepts file paths; use `brew tap` to register the local checkout and then audit by qualified cask name. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .github/workflows/ci.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4a5ba31..92cfeea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,4 +13,11 @@ jobs: runs-on: macos-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - run: brew audit --strict --online Casks/*.rb || true + - name: Set up Homebrew tap + run: brew tap platinummonkey/tap "$(pwd)" + - name: Audit casks + run: | + for cask in Casks/*.rb; do + name=$(basename "$cask" .rb) + brew audit --cask --strict --online "platinummonkey/tap/$name" || true + done