Skip to content

update brew tap#404

Merged
kfirstri merged 3 commits intomainfrom
support-brew
Mar 11, 2026
Merged

update brew tap#404
kfirstri merged 3 commits intomainfrom
support-brew

Conversation

@kfirstri
Copy link
Collaborator

@kfirstri kfirstri commented Mar 11, 2026
edited by claude bot
Loading

Note

Description

This PR automates the Homebrew tap update process as part of the release pipeline and refactors the manual-publish.yml workflow for clarity and simplicity. A new update-tap.sh script computes SHA256 checksums for each platform archive, renders the formula template, and pushes the updated formula to base44/homebrew-tap on every latest tag release. As a result, SHA256 checksum file generation is removed from package-binaries.ts, since checksums are now computed inline in CI.

Related Issue

None

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Other (please describe): CI/release automation improvement and workflow refactor

Changes Made

  • .github/workflows/manual-publish.yml: Removed update_changelog input and separate version-bump/check steps; version setting is now a single unified step
  • .github/workflows/manual-publish.yml: Consolidated Publish to NPM and Dry run publish into a single step using a conditional --dry-run flag
  • .github/workflows/manual-publish.yml: Merged Create Release and Upload binaries into a single gh release create call that uploads .tar.gz files directly
  • .github/workflows/manual-publish.yml: Removed separate skills-token generation step; reuses the existing generate-token token for both Homebrew tap and skills repo dispatch
  • .github/workflows/manual-publish.yml: Added Update Homebrew Tap step (runs on latest non-dry-run releases) that invokes update-tap.sh
  • packages/cli/infra/homebrew/update-tap.sh (new): Shell script that computes SHA256 checksums, renders base44.rb template placeholders, clones base44/homebrew-tap, and pushes the updated formula
  • packages/cli/infra/package-binaries.ts: Removed SHA256 checksum file generation (.sha256 files), since checksums are now computed inline in CI
  • packages/cli/infra/homebrew/base44.rb: Updated comments to reflect it is a CI-rendered template, not a manually-copied reference
  • docs/binary-distribution.md: Updated to reflect automated Homebrew tap workflow, removed references to .sha256 file uploads, and added user-facing brew install instructions

Testing

  • I have tested these changes locally
  • I have added/updated tests as needed
  • All tests pass (npm test)

Checklist

  • My code follows the project's style guidelines
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (if applicable)
  • My changes generate no new warnings
  • I have updated docs/ (binary-distribution.md) if I made architectural changes

Additional Notes

The Homebrew tap update only triggers when dry_run == 'false' and npm_tag == 'latest', so beta/alpha releases are unaffected. The update-tap.sh script is idempotent — if the formula is already up to date it exits cleanly without committing.

Generated by Claude | 2026-03-11 09:00 UTC

@kfirstri kfirstri self-assigned this Mar 11, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 11, 2026
edited
Loading

🚀 Package Preview Available!

Install this PR's preview build with npm:

npm i @base44-preview/cli@0.0.42-pr.404.3910440

Prefer not to change any import paths? Install using npm alias so your code still imports base44:

npm i "base44@npm:@base44-preview/cli@0.0.42-pr.404.3910440"

Or add it to your package.json dependencies:

{
  "dependencies": {
    "base44": "npm:@base44-preview/cli@0.0.42-pr.404.3910440"
  }
}

Preview published to npm registry — try new features instantly!

@kfirstri
Copy link
Collaborator Author

kfirstri commented Mar 11, 2026

@claude please go over the changes to the github action (manual-publish) and try to find issues that might happen after i merge this?

@claude
Copy link

claude bot commented Mar 11, 2026
edited
Loading

Claude finished @kfirstri's task in 2m 48s —— View job

Review of manual-publish.yml changes

  • Read the changed files
  • Analyze for potential issues
  • Post review findings

Here are the issues I found, ordered by severity:

🔴 Issue 1 — Hardcoded master branch in update-tap.sh

File: packages/cli/infra/homebrew/update-tap.sh:44

git push origin master

If base44/homebrew-tap uses main as its default branch (GitHub's current default for new repos), this push will fail with a src refspec master does not match any error. This would silently leave the Homebrew formula out-of-date on every release.

Fix: Use the actual default branch, or make it configurable:

git push origin HEAD

Fix this →

🔴 Issue 2 — Token scope may not cover cross-repo operations

File: .github/workflows/manual-publish.yml:37-41

The generate-token step creates a GitHub App token with no owner or repositories scope:

- name: Generate a token
  id: generate-token
  uses: actions/create-github-app-token@v2
  with:
    app-id: ${{ vars.BASE44_GITHUB_ACTIONS_APP_ID }}
    private-key: ${{ secrets.BASE44_GITHUB_ACTIONS_APP_PRIVATE_KEY }}

By default, actions/create-github-app-token scopes the token to the current repository (base44/cli) only. This token is now being reused for two cross-repo operations:

  1. Update Homebrew Tap (line 152-156) — clones and pushes to base44/homebrew-tap
  2. Notify skills repo (line 158-170) — dispatches to base44/skills

The old workflow handled this by creating a separate scoped token for the skills dispatch:

- name: Generate token for skills repo
  uses: actions/create-github-app-token@v2
  with:
    app-id: ${{ vars.BASE44_GITHUB_ACTIONS_APP_ID }}
    private-key: ${{ secrets.BASE44_GITHUB_ACTIONS_APP_PRIVATE_KEY }}
    owner: base44
    repositories: skills  # explicitly scoped

The fact that a separate scoped token was used before strongly suggests the default token does not have cross-repo access. Both the Homebrew tap push and the skills dispatch will likely fail with authentication errors after merging.

Fix: Check if the GitHub App is installed at the org level with access to all repos. If not, either keep scoped tokens per repo, or generate a single org-level token:

uses: actions/create-github-app-token@v2
with:
  app-id: ${{ vars.BASE44_GITHUB_ACTIONS_APP_ID }}
  private-key: ${{ secrets.BASE44_GITHUB_ACTIONS_APP_PRIVATE_KEY }}
  owner: base44  # org-level token

🟡 Issue 3 — gh release create with unquoted glob fails if no files exist

File: .github/workflows/manual-publish.yml:149

${{ env.CLI_PACKAGE_DIR }}/dist/binaries/base44-*.tar.gz)

The glob is shell-expanded at runtime. If no .tar.gz files are found (e.g., build:binaries failed silently), the shell passes the literal glob string to gh, which will then fail with a cryptic "file not found" error rather than a clear build error.

This is low risk if the build always produces files, but worth being aware of.

🟡 Issue 4 — sed -i incompatible with macOS (local dev only)

File: packages/cli/infra/homebrew/update-tap.sh:24-28

sed -i "s/version \".*\"/version \"$VERSION\"/" /tmp/base44.rb

On macOS, sed -i requires an explicit (possibly empty) backup extension: sed -i '' "...". Without it, macOS sed will error out. This doesn't affect CI (ubuntu-latest), but anyone trying to run the script locally on macOS will hit this. Adding a comment in the usage docs or using gsed would help.

🟢 Issue 5 — Minor: RELEASE_URL env var used in a JSON payload

File: .github/workflows/manual-publish.yml:168

"release_url": "${{ env.RELEASE_URL }}",

RELEASE_URL is set via echo "RELEASE_URL=$RELEASE_URL" >> $GITHUB_ENV where $RELEASE_URL comes from gh release create output. GitHub Actions env vars in expression context are not JSON-escaped, so if the URL somehow contains special characters it could break the JSON payload. In practice this is fine since GitHub URLs are well-formed, but it's worth noting.

Summary

# File Issue Severity
1 update-tap.sh:44 Hardcoded master branch will fail if homebrew-tap uses main 🔴 High
2 manual-publish.yml:37 Reused token likely lacks cross-repo access for tap + skills 🔴 High
3 manual-publish.yml:149 Unquoted glob could produce confusing errors if build fails 🟡 Medium
4 update-tap.sh:24 sed -i breaks on macOS (CI-only script, but still) 🟡 Low
5 manual-publish.yml:168 RELEASE_URL not JSON-escaped in payload 🟢 Info

Issues 1 and 2 are the ones most likely to cause real failures after merging. I'd recommend checking the branch name of homebrew-tap and verifying whether the default generate-token has org-wide access before merging.

@kfirstri kfirstri merged commit f107530 into main Mar 11, 2026
9 checks passed
@kfirstri kfirstri deleted the support-brew branch March 11, 2026 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@kfirstri kfirstri

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kfirstri