workflows: use set -xeuo pipefail globally

This makes it easier to avoid subtle shell script bugs.

.github/workflows/actionlint.yml

@@ -18,6 +18,10 @@ env:
   HOMEBREW_NO_AUTO_UPDATE: 1
   HOMEBREW_NO_ENV_HINTS: 1
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 concurrency:
   group: "actionlint-${{ github.ref }}"
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}

.github/workflows/autogenerated-files.yml

@@ -16,6 +16,10 @@ env:
   HOMEBREW_DEVELOPER: 1
   HOMEBREW_NO_AUTO_UPDATE: 1
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   autogenerated:
     runs-on: ubuntu-22.04

.github/workflows/codeql-analysis.yml

@@ -8,6 +8,10 @@ on:
     branches:
       - master
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/docker.yml

@@ -13,6 +13,10 @@ on:
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   ubuntu:
     if: github.repository_owner == 'Homebrew'
@@ -41,7 +45,7 @@ jobs:
           date="$(date --rfc-3339=seconds --utc)"
           brew_version="$(git describe --tags --dirty --abbrev=7)"
 
-          DELIMITER="END_LABELS_$(LC_ALL=C tr -dc '[:alnum:]' </dev/urandom | head -c20)"
+          DELIMITER="END_LABELS_$(uuidgen)"
           cat <<EOS | tee -a "${GITHUB_OUTPUT}"
           labels<<${DELIMITER}
           org.opencontainers.image.created=${date}
@@ -82,7 +86,7 @@ jobs:
 
           {
             if [[ "${#tags[@]}" -ne 0 ]]; then
-              DELIMITER="END_TAGS_$(LC_ALL=C tr -dc '[:alnum:]' </dev/urandom | head -c20)"
+              DELIMITER="END_TAGS_$(uuidgen)"
               echo "tags<<${DELIMITER}"
               printf "%s\n" "${tags[@]}"
               echo "${DELIMITER}"

.github/workflows/docs.yml

@@ -17,6 +17,10 @@ env:
   HOMEBREW_BOOTSNAP: 1
   HOMEBREW_NO_INSTALL_CLEANUP: 1
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   docs:
     runs-on: ubuntu-22.04
@@ -38,8 +42,6 @@ jobs:
       - name: Cleanup Homebrew/brew docs
         if: github.repository == 'Homebrew/brew'
         run: |
-          set -xeuo pipefail
-
           # Avoid failing on broken symlinks.
           rm Library/Homebrew/os/mac/pkgconfig/fuse/fuse.pc
           rm Library/Homebrew/os/mac/pkgconfig/fuse/osxfuse.pc

.github/workflows/doctor.yml

@@ -8,11 +8,18 @@ on:
       - Library/Homebrew/extend/os/diagnostic.rb
       - Library/Homebrew/extend/os/mac/diagnostic.rb
       - Library/Homebrew/os/mac/xcode.rb
+
 permissions:
   contents: read
+
 env:
   HOMEBREW_DEVELOPER: 1
   HOMEBREW_NO_AUTO_UPDATE: 1
+
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   determine-runners:
     runs-on: ubuntu-22.04

.github/workflows/pkg-installer.yml

@@ -15,6 +15,11 @@ env:
   PKG_APPLE_DEVELOPER_TEAM_ID: ${{ secrets.PKG_APPLE_DEVELOPER_TEAM_ID }}
   HOMEBREW_NO_ANALYTICS_THIS_RUN: 1
   HOMEBREW_NO_ANALYTICS_MESSAGE_OUTPUT: 1
+
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   build:
     if: github.repository_owner == 'Homebrew' && github.actor != 'dependabot[bot]'

.github/workflows/rubydoc.yml

@@ -16,6 +16,10 @@ env:
   HOMEBREW_BOOTSNAP: 1
   HOMEBREW_NO_INSTALL_CLEANUP: 1
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   rubydoc:
     if: github.repository == 'Homebrew/brew'

.github/workflows/schemas.yml

@@ -12,6 +12,10 @@ on:
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   spdx:
     if: github.repository == 'Homebrew/brew'

.github/workflows/sorbet.yml

@@ -18,6 +18,10 @@ on:
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   tapioca:
     if: github.repository == 'Homebrew/brew'

.github/workflows/spdx.yml

@@ -12,6 +12,10 @@ on:
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   spdx:
     if: github.repository == 'Homebrew/brew'

.github/workflows/sponsors-maintainers-man-completions.yml

@@ -21,6 +21,10 @@ on:
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   updates:
     runs-on: ubuntu-22.04

.github/workflows/stale-issues.yml

@@ -17,6 +17,10 @@ permissions:
   issues: write
   pull-requests: write
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 concurrency:
   group: stale-issues
   cancel-in-progress: ${{ github.event_name != 'issue_comment' }}

.github/workflows/tests.yml

@@ -18,6 +18,10 @@ env:
   HOMEBREW_NO_INSTALL_CLEANUP: 1
   HOMEBREW_VERIFY_ATTESTATIONS: 1
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 concurrency:
   group: "${{ github.ref }}"
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
@@ -328,7 +332,7 @@ jobs:
 
           # Retry multiple times when using BuildPulse to detect and submit
           # flakiness (because rspec-retry is disabled).
-          if [[ -n "${HOMEBREW_BUILDPULSE_ACCESS_KEY_ID}" ]]
+          if [[ -n "${HOMEBREW_BUILDPULSE_ACCESS_KEY_ID-}" ]]
           then
             brew tests ${{ matrix.test-flags }} ||
             brew tests ${{ matrix.test-flags }}

.github/workflows/vendor-gems.yml

@@ -20,6 +20,10 @@ permissions:
   contents: read
   pull-requests: read
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   vendor-gems:
     if: github.repository_owner == 'Homebrew'

.github/workflows/vendor-version.yml

@@ -9,6 +9,10 @@ on:
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
 jobs:
   check-vendor-version:
     runs-on: ubuntu-22.04