Skip to content

Commit bce3d5d

Browse files
committed
fix(homebrew-build-bottles): unset HOMEBREW_REQUIRE_TAP_TRUST to bypass tap-trust check
The prior fix (HOMEBREW_NO_INSTALL_FROM_API=1 alone) doesn't bypass the tap-trust check that fires inside `brew install --build-bottle`. The check is gated on HOMEBREW_REQUIRE_TAP_TRUST being set in the environment (Homebrew::EnvConfig.require_tap_trust?), and GitHub runner images set that variable by default — so the trust check still rejected `kreuzberg-dev/tap/<formula>` even when the formula source was loaded from the local clone. Unsetting the variable in-script before `brew tap` is the in-script equivalent of trusting the tap: the check evaluates the env var directly with no other override. Verified against the `Refusing to load formula <…> from untrusted tap` errors observed on alef v0.24.10 publish run 27394909611 and kreuzcrawl rc.55 publish run 27392283242.
1 parent 324edd6 commit bce3d5d

1 file changed

Lines changed: 15 additions & 7 deletions

File tree

homebrew-build-bottles/scripts/build-bottles.sh

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -32,14 +32,22 @@ set -o pipefail
3232
echo "::endgroup::"
3333

3434
echo "::group::Tap ${tap}"
35-
brew tap "$tap"
36-
# Recent Homebrew refuses to load formulae from non-core taps unless the tap is
37-
# explicitly trusted ("Refusing to load formula <…> from untrusted tap"). The
38-
# `brew trust` command suggested by the error message does not exist on every
39-
# Homebrew version, so the portable workaround is to force git-tap installs
40-
# (HOMEBREW_NO_INSTALL_FROM_API=1) — which bypasses the JSON-API trust check
41-
# entirely since we read formulae from the just-tapped clone instead.
35+
# Recent Homebrew refuses to load formulae from non-core taps when
36+
# HOMEBREW_REQUIRE_TAP_TRUST is set ("Refusing to load formula <…> from
37+
# untrusted tap"). GitHub-hosted runners set HOMEBREW_REQUIRE_TAP_TRUST in
38+
# the default environment, so the check fires at `brew install` time even
39+
# when HOMEBREW_NO_INSTALL_FROM_API=1 forces the git-clone source. There
40+
# is no portable `brew trust` command, and the trust check evaluates the
41+
# env var directly (Homebrew::EnvConfig.require_tap_trust? — see
42+
# Library/Homebrew/formulary.rb), so unsetting the variable is the
43+
# in-script equivalent of trusting the tap. Must precede `brew tap` so
44+
# the trust evaluation never fires for any tap operation in this shell.
45+
unset HOMEBREW_REQUIRE_TAP_TRUST
46+
# Force git-tap installs so the formula is read from the just-tapped
47+
# clone instead of the JSON API (avoids stale API metadata on first
48+
# bottle build).
4249
export HOMEBREW_NO_INSTALL_FROM_API=1
50+
brew tap "$tap"
4351
# GitHub-hosted Linux runners block unprivileged user namespaces, so even
4452
# though bubblewrap is installed it cannot create a rootless sandbox
4553
# ("Bubblewrap is installed but cannot create a rootless sandbox"). The

0 commit comments

Comments
 (0)