feat(ci): add automatic Homebrew tap publishing#23
Merged
Conversation
Configure GoReleaser and GitHub Actions to automatically publish formula updates to DataDog/homebrew-pack on releases. This enables users to install via `brew install datadog/pack/pup` for easier distribution and updates. Changes: - .goreleaser.yml: Add brews configuration for homebrew-pack tap - .github/workflows/release.yml: Add HOMEBREW_TAP_TOKEN to env - README.md: Add Homebrew as primary installation method - CLAUDE.md: Update Quick Start with Homebrew instructions - docs/HOMEBREW_TAP_SETUP.md: Comprehensive setup guide with: - Prerequisites and repository requirements - Step-by-step PAT creation instructions - GitHub secret configuration - Testing procedure with pre-releases - Troubleshooting common issues - Security best practices Manual steps required: 1. Create fine-grained PAT with Contents: Read and Write on homebrew-pack 2. Add PAT as HOMEBREW_TAP_TOKEN secret to pup repository 3. Ensure homebrew-pack repository exists and is public See docs/HOMEBREW_TAP_SETUP.md for complete instructions. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
📊 Test Coverage ReportOverall Coverage: 80.4% Threshold: 80% ✅ Coverage by Package📈 Coverage Status: ✅ PASSED - Coverage meets minimum threshold Updated for commit c5a1ff0 |
Replace long-lived Personal Access Token with dd-octo-sts for more secure, short-lived token access to homebrew-pack repository. This eliminates the need for secret storage and manual token rotation. Security improvements: - Short-lived tokens (1 hour expiration, auto-revoked) - No credential storage required (OIDC federation) - Scoped to specific workflow and semantic version tags - Defense-in-depth with claim pattern validation Changes: - .github/workflows/release.yml: Add dd-octo-sts-action step to get token - docs/HOMEBREW_TAP_SETUP.md: Complete rewrite for dd-octo-sts approach - docs/homebrew-pack-trust-policy.yaml: Trust policy template for homebrew-pack Setup required: 1. Add trust policy to DataDog/homebrew-pack at .github/chainguard/pup-release.sts.yaml 2. Merge policy to default branch (no GitHub secrets needed!) See docs/HOMEBREW_TAP_SETUP.md for complete setup instructions. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Complete rewrite of HOMEBREW_TAP_SETUP.md to use dd-octo-sts instead of PATs: - Replaced PAT-based authentication with dd-octo-sts OIDC federation - Added comprehensive tag protection setup instructions (Step 3) - Included troubleshooting for tag protection scenarios - Added security best practices for release management - Documented both tag rulesets and protected environments approaches - Updated comparison table showing dd-octo-sts advantages Tag protection (recommended but optional): - Prevents unauthorized release creation - Aligns with dd-octo-sts security guardrails - Ensures privileged permissions only on protected refs Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Collaborator
Author
|
depends on datadog-labs/homebrew-pack#3 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Configures automatic Homebrew formula publishing to
DataDog/homebrew-packwhen releases are tagged. Users will be able to install pup viabrew install datadog/pack/pupfor easier distribution and automatic updates.Changes
brewsconfiguration for homebrew-pack tap with formula metadata, install instructions, and test commandsHOMEBREW_TAP_TOKENenvironment variable to GoReleaser stepManual Steps Required
Before this can work in production, the following manual setup is needed:
1. Create Fine-grained Personal Access Token
pup-homebrew-tap-publisherDataDog/homebrew-packContents: Read and Write2. Add GitHub Secret
HOMEBREW_TAP_TOKEN3. Verify homebrew-pack Repository
Formula/directory will be created automatically if missingTesting Plan
The setup guide includes instructions for testing with a pre-release:
Documentation
See docs/HOMEBREW_TAP_SETUP.md for:
References
🤖 Generated with Claude Code