From 875702d51a88d48921a17759d5b6ec1ec84aa35b Mon Sep 17 00:00:00 2001 From: Alexander Bayandin Date: Sun, 27 Apr 2025 22:53:06 +0100 Subject: [PATCH 1/2] dev-cmd/tap-new: support private repos --- Library/Homebrew/dev-cmd/tap-new.rb | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/Library/Homebrew/dev-cmd/tap-new.rb b/Library/Homebrew/dev-cmd/tap-new.rb index 6d80400705..1d404b0210 100644 --- a/Library/Homebrew/dev-cmd/tap-new.rb +++ b/Library/Homebrew/dev-cmd/tap-new.rb @@ -72,6 +72,13 @@ module Homebrew # write_path(tap, "README.md", readme) + tests_permissions = { + "actions" => "read", + "checks" => "read", + "contents" => "read", + "pull-requests" => "read", + } + tests_permissions["packages"] = "read" if args.github_packages? actions_main = <<~YAML name: brew test-bot @@ -87,10 +94,14 @@ module Homebrew matrix: os: [ubuntu-22.04, macos-13, macos-15] runs-on: ${{ matrix.os }} + permissions: + #{tests_permissions.sort.map { |k, v| " #{k}: #{v}" }.join("\n")} steps: - name: Set up Homebrew id: set-up-homebrew uses: Homebrew/actions/setup-homebrew@master + with: + token: ${{ github.token }} - name: Cache Homebrew Bundler RubyGems uses: actions/cache@v4 @@ -105,8 +116,20 @@ module Homebrew - run: brew test-bot --only-tap-syntax + - name: Base64-encode GITHUB_TOKEN + id: base64-encode + if: github.event_name == 'pull_request' + env: + TOKEN: ${{ github.token }} + run: | + base64_token=$(echo -n "${TOKEN}" | base64 | tr -d "\\n") + echo "::add-mask::${base64_token}" + echo "token=${base64_token}" >> "${GITHUB_OUTPUT}" + - run: brew test-bot --only-formulae#{" --root-url='#{root_url}'" if root_url} if: github.event_name == 'pull_request' + env: + HOMEBREW_DOCKER_REGISTRY_TOKEN: ${{ steps.base64-encode.outputs.token }} - name: Upload bottles as artifact if: always() && github.event_name == 'pull_request' @@ -117,7 +140,10 @@ module Homebrew YAML pr_pull_permissions = { + "actions" => "read", + "checks" => "read", "contents" => "write", + "issues" => "read", "pull-requests" => "write", } pr_pull_env = { @@ -145,6 +171,8 @@ module Homebrew steps: - name: Set up Homebrew uses: Homebrew/actions/setup-homebrew@master + with: + token: ${{ github.token }} - name: Set up git uses: Homebrew/actions/git-user-config@master @@ -158,7 +186,6 @@ module Homebrew - name: Push commits uses: Homebrew/actions/git-try-push@master with: - token: ${{ github.token }} branch: #{branch} - name: Delete branch From d60e72a055c982555667471778604dc107b99c51 Mon Sep 17 00:00:00 2001 From: Alexander Bayandin Date: Mon, 28 Apr 2025 23:57:44 +0100 Subject: [PATCH 2/2] dev-cmd/tap-new: use ERB templates instead of string interpolation --- Library/Homebrew/dev-cmd/tap-new.rb | 76 ++++++++++++++--------------- 1 file changed, 37 insertions(+), 39 deletions(-) diff --git a/Library/Homebrew/dev-cmd/tap-new.rb b/Library/Homebrew/dev-cmd/tap-new.rb index 1d404b0210..5d04a15c6c 100644 --- a/Library/Homebrew/dev-cmd/tap-new.rb +++ b/Library/Homebrew/dev-cmd/tap-new.rb @@ -2,6 +2,7 @@ # frozen_string_literal: true require "abstract_command" +require "erb" require "fileutils" require "tap" require "utils/uid" @@ -72,30 +73,29 @@ module Homebrew # write_path(tap, "README.md", readme) - tests_permissions = { - "actions" => "read", - "checks" => "read", - "contents" => "read", - "pull-requests" => "read", - } - tests_permissions["packages"] = "read" if args.github_packages? - actions_main = <<~YAML + tests_yml = <<~ERB name: brew test-bot on: push: branches: - - #{branch} + - <%= branch %> pull_request: jobs: test-bot: strategy: matrix: - os: [ubuntu-22.04, macos-13, macos-15] + os: [ ubuntu-22.04, macos-13, macos-15 ] runs-on: ${{ matrix.os }} permissions: - #{tests_permissions.sort.map { |k, v| " #{k}: #{v}" }.join("\n")} + actions: read + checks: read + contents: read + <% if args.github_packages? -%> + packages: read + <% end -%> + pull-requests: read steps: - name: Set up Homebrew id: set-up-homebrew @@ -115,8 +115,8 @@ module Homebrew - run: brew test-bot --only-setup - run: brew test-bot --only-tap-syntax - - - name: Base64-encode GITHUB_TOKEN + <% if args.github_packages? -%> + - name: Base64-encode GITHUB_TOKEN for HOMEBREW_DOCKER_REGISTRY_TOKEN id: base64-encode if: github.event_name == 'pull_request' env: @@ -125,11 +125,13 @@ module Homebrew base64_token=$(echo -n "${TOKEN}" | base64 | tr -d "\\n") echo "::add-mask::${base64_token}" echo "token=${base64_token}" >> "${GITHUB_OUTPUT}" - - - run: brew test-bot --only-formulae#{" --root-url='#{root_url}'" if root_url} + <% end -%> + - run: brew test-bot --only-formulae<% if root_url %> --root-url='<%= root_url %>'<% end %> if: github.event_name == 'pull_request' + <% if args.github_packages? -%> env: HOMEBREW_DOCKER_REGISTRY_TOKEN: ${{ steps.base64-encode.outputs.token }} + <% end -%> - name: Upload bottles as artifact if: always() && github.event_name == 'pull_request' @@ -137,24 +139,9 @@ module Homebrew with: name: bottles_${{ matrix.os }} path: '*.bottle.*' - YAML + ERB - pr_pull_permissions = { - "actions" => "read", - "checks" => "read", - "contents" => "write", - "issues" => "read", - "pull-requests" => "write", - } - pr_pull_env = { - "HOMEBREW_GITHUB_API_TOKEN" => "${{ github.token }}", - } - if args.github_packages? - pr_pull_permissions["packages"] = "write" - pr_pull_env["HOMEBREW_GITHUB_PACKAGES_TOKEN"] = "${{ github.token }}" - pr_pull_env["HOMEBREW_GITHUB_PACKAGES_USER"] = "${{ github.repository_owner }}" - end - actions_publish = <<~YAML + publish_yml = <<~ERB name: brew pr-pull on: @@ -164,10 +151,17 @@ module Homebrew jobs: pr-pull: - if: contains(github.event.pull_request.labels.*.name, '#{label}') + if: contains(github.event.pull_request.labels.*.name, '<%= label %>') runs-on: ubuntu-22.04 permissions: - #{pr_pull_permissions.sort.map { |k, v| " #{k}: #{v}" }.join("\n")} + actions: read + checks: read + contents: write + issues: read + <% if args.github_packages? -%> + packages: write + <% end -%> + pull-requests: write steps: - name: Set up Homebrew uses: Homebrew/actions/setup-homebrew@master @@ -179,25 +173,29 @@ module Homebrew - name: Pull bottles env: - #{pr_pull_env.sort.map { |k, v| " #{k}: #{v}" }.join("\n")} + HOMEBREW_GITHUB_API_TOKEN: ${{ github.token }} + <% if args.github_packages? -%> + HOMEBREW_GITHUB_PACKAGES_TOKEN: ${{ github.token }} + HOMEBREW_GITHUB_PACKAGES_USER: ${{ github.repository_owner }} + <% end -%> PULL_REQUEST: ${{ github.event.pull_request.number }} run: brew pr-pull --debug --tap="$GITHUB_REPOSITORY" "$PULL_REQUEST" - name: Push commits uses: Homebrew/actions/git-try-push@master with: - branch: #{branch} + branch: <%= branch %> - name: Delete branch if: github.event.pull_request.head.repo.fork == false env: BRANCH: ${{ github.event.pull_request.head.ref }} run: git push --delete origin "$BRANCH" - YAML + ERB (tap.path/".github/workflows").mkpath - write_path(tap, ".github/workflows/tests.yml", actions_main) - write_path(tap, ".github/workflows/publish.yml", actions_publish) + write_path(tap, ".github/workflows/tests.yml", ERB.new(tests_yml, trim_mode: "-").result(binding)) + write_path(tap, ".github/workflows/publish.yml", ERB.new(publish_yml, trim_mode: "-").result(binding)) unless args.no_git? cd tap.path do |path|