From 1d9cbf9689b24ebc52a853cb438926c85e230a20 Mon Sep 17 00:00:00 2001 From: Kush Date: Mon, 29 Jun 2026 23:53:46 -0400 Subject: [PATCH] ci: script the Homebrew formula bump instead of mislav action mislav/bump-homebrew-formula-action resolves the source tarball via a HEAD to GitHub's tarball API, which started returning HTTP 303 (not 302) around 2026-05-16; the action only accepts 302 and throws 'unexpected HTTP 303'. The fix (PR #342) is unmerged and the action's last release predates the break, so every bump now fails deterministically. Replace it with a small script: curl -L the source archive (follows any redirect) to compute the sha256, rewrite url + sha256 in the tap formula, and open the bump PR. curl fetches the same canonical archive brew downloads, so the checksum matches by construction and the formula keeps its standard github.com/archive url. Re-run safe via force-push + PR-exists check. --- .github/workflows/release.yml | 46 +++++++++++++++++++++++++++-------- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a9e094..131ec06 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -87,14 +87,40 @@ jobs: runs-on: ubuntu-latest steps: - name: Bump Homebrew formula - uses: mislav/bump-homebrew-formula-action@v3 - with: - formula-name: band - formula-path: Formula/band.rb - homebrew-tap: Bandwidth/homebrew-tap - base-branch: main - download-url: https://github.com/Bandwidth/cli/archive/refs/tags/${{ github.ref_name }}.tar.gz - commit-message: | - {{formulaName}} {{version}} env: - COMMITTER_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} + GH_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} + VERSION: ${{ github.ref_name }} + run: | + set -euo pipefail + + TAP="Bandwidth/homebrew-tap" + FORMULA="Formula/band.rb" + URL="https://github.com/Bandwidth/cli/archive/refs/tags/${VERSION}.tar.gz" + + # Checksum the exact archive brew downloads: curl follows GitHub's redirect + # to codeload, so this sha256 always matches the formula url's payload. + SHA="$(curl -fsSL "$URL" | sha256sum | cut -d' ' -f1)" + + git clone "https://x-access-token:${GH_TOKEN}@github.com/${TAP}.git" tap + cd tap + sed -i -E "s|^(\s*url ).*|\1\"${URL}\"|" "$FORMULA" + sed -i -E "s|^(\s*sha256 ).*|\1\"${SHA}\"|" "$FORMULA" + + if git diff --quiet; then + echo "Formula already at ${VERSION}; nothing to bump." + exit 0 + fi + + BRANCH="bump-band-${VERSION}" + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git switch -C "$BRANCH" + git commit -am "band ${VERSION}" + git push -f origin "$BRANCH" + + # Re-run safe: only open a PR if one isn't already open for this branch. + if [ -z "$(gh pr list --repo "$TAP" --head "$BRANCH" --state open --json number --jq '.[0].number')" ]; then + gh pr create --repo "$TAP" --base main --head "$BRANCH" \ + --title "band ${VERSION}" \ + --body "Automated formula bump to ${VERSION}." + fi