Skip to content

brew release should run an actual release workflow #20808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MikeMcQuaid merged 2 commits into from
Oct 13, 2025
Merged

brew release should run an actual release workflow #20808

MikeMcQuaid merged 2 commits into from
Oct 13, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 2, 2025
edited
Loading

  • Understand current brew release command and workflow structure
  • Add workflow_dispatch trigger to pkg-installer.yml workflow
  • Move tag creation to after notarization in workflow
  • Remove release: published trigger from workflow
  • Add --force flag to brew release for dry-run by default
  • Update workflow to create tag after package is built and notarized
  • Update command to show release notes without creating release by default
  • Fix Sorbet type checking errors
  • Verify tests pass

Implementation Details

Tag Creation Timing

The tag and draft release are now created in the upload job, AFTER the package has been built and notarized. This ensures the tag only exists once the workflow has completed successfully.

Dry-Run by Default

Without --force, brew release now just shows what release notes would be generated. With --force, it triggers the workflow.

Removed Release Trigger

The workflow no longer triggers on release: published events since the workflow now handles everything.

Type Safety Fixes

  • Added proper type annotation for workflow_run_url variable: T.let(nil, T.nilable(String))
  • Used _e for exception variable in rescue block inside loop to avoid Sorbet scoping issues

Flow:

  1. brew release (without --force) shows release notes
  2. brew release --force triggers workflow
  3. Workflow builds package, notarizes it
  4. Workflow creates tag and draft release, uploads package
  5. User can then publish the immutable release
Original prompt

This section details on the original issue you should resolve

<issue_title>brew release should run an actual release workflow</issue_title>
<issue_description>### Verification

Provide a detailed description of the proposed feature

brew release currently creates a tag and draft release for us to finalize prior to publishing. This has worked well, but we'd like to start taking advantage of immutable releases. We can't enable these currently, because our pkg-installer workflow uploads the artifact once the release is created.

What is the motivation for the feature?

Immutable releases will increase user confidence with our releases. By ensuring our GitHub releases cannot be changed after publishing, we can show users that nothing was tampered with after the fact.

How will the feature be relevant to at least 90% of Homebrew users?

Users will benefit from a more robust, secure release process.

What alternatives to the feature have been considered?

Leave immutable releases off, and maintain status quo.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #20751

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI requested a review from MikeMcQuaid October 2, 2025 16:30
@MikeMcQuaid
Copy link
Member

MikeMcQuaid commented Oct 2, 2025

@copilot try again

Copy link
Contributor Author

Copilot AI commented Oct 2, 2025

@copilot try again

Implemented the workflow-based release process. The key changes:

  1. Added workflow_dispatch trigger to pkg-installer.yml
  2. Modified brew release to create the tag, trigger the workflow, and wait for completion
  3. The workflow now uploads the package to the draft release before it's published

This enables immutable releases by ensuring the package is attached before publication.

Commit: bc517ab

Copilot AI changed the title [WIP] brew release should run an actual release workflow brew release should run an actual release workflow Oct 2, 2025
Copilot finished work on behalf of MikeMcQuaid October 2, 2025 18:38
MikeMcQuaid
MikeMcQuaid reviewed Oct 6, 2025
View reviewed changes
Copilot AI requested a review from MikeMcQuaid October 6, 2025 16:30
Copilot finished work on behalf of MikeMcQuaid October 6, 2025 16:30
MikeMcQuaid
MikeMcQuaid reviewed Oct 7, 2025
View reviewed changes
Copilot AI requested a review from MikeMcQuaid October 7, 2025 16:05
Copilot finished work on behalf of MikeMcQuaid October 7, 2025 16:05
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 7, 2025
View reviewed changes
@MikeMcQuaid
Copy link
Member

MikeMcQuaid commented Oct 8, 2025

@copilot fix this CI failure:

+ brew typecheck
dev-cmd/release.rb:141: Changing the type of a variable is not permitted in loops and blocks https://srb.help/7001
     141 |                workflow_run_url = run["html_url"]
                                             ^^^^^^^^^^^^^^^
  Existing variable has type: `NilClass`
  Attempting to change type to: `T.untyped`

  Autocorrect: Use `-a` to autocorrect
    dev-cmd/release.rb:125: Replace with `T.let(nil, T.untyped)`
     125 |        workflow_run_url = nil
                                     ^^^

dev-cmd/release.rb:159: Changing the type of a variable is not permitted in loops and blocks https://srb.help/7001
     159 |          rescue *GitHub::API::ERRORS => e
                                                   ^
  Existing variable has type: `NilClass`
  Attempting to change type to: `Exception`

  Original type from:
    dev-cmd/release.rb:37: Possibly uninitialized (`NilClass`) in:
    37 |      def run
              ^^^^^^^
Errors: 2
Check https://docs.brew.sh/Typechecking for more information on how to resolve these errors.
Error: Process completed with exit code 1.

Copy link
Contributor Author

Copilot AI commented Oct 8, 2025

@copilot fix this CI failure:

...

Fixed the Sorbet type checking errors:

  1. Added proper type annotation: workflow_run_url = T.let(nil, T.nilable(String))
  2. Changed exception variable in rescue block from e to _e to avoid Sorbet scoping issues with loops

Commit: will be in next push

Copilot finished work on behalf of MikeMcQuaid October 8, 2025 08:14
@MikeMcQuaid MikeMcQuaid force-pushed the copilot/fix-1fb694c3-47b8-447f-808e-81504dfe1f6c branch 7 times, most recently from 60ef249 to 849f7a1 Compare October 13, 2025 13:55
@MikeMcQuaid MikeMcQuaid force-pushed the copilot/fix-1fb694c3-47b8-447f-808e-81504dfe1f6c branch from 849f7a1 to 3dc7c52 Compare October 13, 2025 14:11
@MikeMcQuaid MikeMcQuaid force-pushed the copilot/fix-1fb694c3-47b8-447f-808e-81504dfe1f6c branch from 3dc7c52 to c3a557e Compare October 13, 2025 14:14
@MikeMcQuaid MikeMcQuaid marked this pull request as ready for review October 13, 2025 14:22
@MikeMcQuaid MikeMcQuaid enabled auto-merge October 13, 2025 14:22
@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Oct 13, 2025
Merged via the queue into main with commit 59a036f Oct 13, 2025
44 checks passed
@MikeMcQuaid MikeMcQuaid deleted the copilot/fix-1fb694c3-47b8-447f-808e-81504dfe1f6c branch October 13, 2025 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@p-linnane p-linnane p-linnane approved these changes

+1 more reviewer

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@MikeMcQuaid MikeMcQuaid

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

brew release should run an actual release workflow

3 participants

@MikeMcQuaid @p-linnane