Skip to content
This repository was archived by the owner on May 21, 2026. It is now read-only.

Add formula template, renderer, and release workflows#1

Merged
sgerlach merged 15 commits into
mainfrom
feat/formula-release-automation
Apr 22, 2026
Merged

Add formula template, renderer, and release workflows#1
sgerlach merged 15 commits into
mainfrom
feat/formula-release-automation

Conversation

@sgerlach
Copy link
Copy Markdown
Contributor

@sgerlach sgerlach commented Apr 21, 2026

Summary

Brings the tap from empty to release-ready. brew install hawkop will work
as soon as the first release of stackhawk/hawkop publishes binaries to
download.stackhawk.com/hawkop/cli/.

  • Formula template (scripts/formula-template.rb) — Homebrew formula shape
    using modern on_macos/on_linux + on_intel/on_arm DSL. Four Unix
    targets (mac x64/arm, linux x64/arm). Windows/MSI out of scope.
  • Renderer (scripts/update-formula.sh) — POSIX shell. Validates semver,
    HEADs each tarball on download.stackhawk.com, fetches .sha256 sidecars,
    substitutes placeholders via sed, writes Formula/hawkop.rb. Supports
    --dry-run and --offline. Runs brew audit --strict --online locally
    if brew is on PATH.
  • Bats test suite (9 tests, POSIX-portable).
  • Release workflow (.github/workflows/update-formula.yml) — triggered
    by workflow_dispatch (manual) or repository_dispatch (from upstream
    stackhawk/hawkop). Concurrency-guarded, contents: write scoped,
    injection-safe (all expression expansions routed through env:).
  • Audit workflow (.github/workflows/test.yml) — PR + push. Matrix on
    macOS + Ubuntu. Skips cleanly before the first release. Once binaries
    are live, probes the tarball URL and runs brew install + brew test
    when HTTP 200. contents: read scoped. Separate lint-scripts job runs
    shellcheck + bats.
  • README — release runbook + troubleshooting + a note on the pre-release
    Error: No available formula state.
  • Formula/.gitkeep removed (the release workflow creates the directory
    on first run).

Release flow

gh workflow run update-formula.yml -R stackhawk/homebrew-hawkop -f version=X.Y.Z

Or, later, stackhawk/hawkop's release pipeline can send a
repository_dispatch of type hawkop-release with {"version": "X.Y.Z"}.

Test plan

  • shellcheck scripts/update-formula.sh — clean
  • bats scripts/test-update-formula.bats — 9/9 pass
  • Both workflow files parse as YAML (ruby -ryaml -e 'YAML.load_file(...)')
  • scripts/update-formula.sh --version 0.6.2 --offline writes a syntactically
    valid Formula/hawkop.rb (ruby -c OK)
  • After merge: run Test formula workflow on a throw-away PR to confirm
    green CI in the pre-release state (audit/install should skip cleanly)
  • Once the first stackhawk/hawkop release publishes binaries, run
    gh workflow run update-formula.yml -f version=X.Y.Z and verify the
    commit lands on main and brew install works end-to-end

Known follow-ups

  • Implement repository_dispatch call from stackhawk/hawkop's gradle
    releaseBrewFormula task (currently a TODO stub). Until then the flow
    is manual-only.
  • livecheck block deferred — stackhawk/hawkop is private (no
    :github_releases visibility) and download.stackhawk.com/hawkop/manifest.json
    404s today. Add when a public manifest exists.

sgerlach added 15 commits April 21, 2026 14:29
@sgerlach
feat: add homebrew formula template
52b0855
@sgerlach
feat: add formula renderer skeleton with arg validation
b23964e
@sgerlach
fix: trim set -eu from renderer help output
7b44dbf
@sgerlach
feat: fetch and parse SHA256 sidecars in renderer
ffaffe9
@sgerlach
feat: render formula template to Formula/hawkop.rb
de278bf
@sgerlach
fix: route renderer success message to stderr
8217680
@sgerlach
feat: run brew audit locally when available
6c45ba5
@sgerlach
ci: add release workflow for formula updates
713de2a
@sgerlach
ci: add concurrency guard and simplify formula-update workflow
261e3c5
@sgerlach
ci: add PR audit + conditional install workflow
34b4c5a
@sgerlach
ci: restrict test workflow to contents:read
0523487
@sgerlach
docs: add release runbook and troubleshooting
32d1bdf
@sgerlach
docs: clarify install instructions for pre-release state
893facd
@sgerlach
fix: harden release workflow and renderer against injection and pipe …
1ceb00d 
…pitfalls
@sgerlach
feat: hash tarballs directly and align with current brew audit
e1a4335 
The release pipeline in stackhawk/hawkop does not publish .sha256 sidecar
files alongside the tarballs — mirroring the hawkscan pattern of hashing
the artifact locally. Update the renderer to download each tarball and
compute SHA256 with shasum/sha256sum instead of fetching a sidecar.

Also:
- Drop the explicit `version` field from the formula template. Homebrew
  derives version from `hawkop-v<ver>-<target>.tar.gz` and flags the
  explicit field as redundant under `brew audit --strict`.
- Update the PR test workflow to symlink the checkout into the Taps dir
  and invoke `brew audit` / `brew install` / `brew test` by the tap-
  qualified name `stackhawk/hawkop/hawkop`. Current Homebrew (5.1+)
  disabled path-based audit.
- Remove the renderer's optional local brew-audit hook for the same
  reason; developers should tap the checkout and run audit manually.
- Update the probe step to extract the version from the URL pattern.

Verified end-to-end locally against v0.6.1: render, audit (clean),
install, and `brew test` all pass; `hawkop --version` reports 0.6.1.
@sgerlach sgerlach merged commit b5973f1 into main Apr 22, 2026
3 checks passed
@sgerlach sgerlach mentioned this pull request Apr 22, 2026
Merged
2 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sgerlach