fix(release): add homebrew cask audit validation

.github/workflows/release-config-check.yml

@@ -178,3 +178,49 @@ jobs:
           echo "Checking for Docker image artifacts..."
           ls -la dist/ | grep -E "docker|image" || true
           echo "GoReleaser Docker build validation successful"
+
+  homebrew-cask-audit:
+    name: Audit Generated Homebrew Cask
+    runs-on: macos-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+          cache: true
+
+      - name: Generate cask with GoReleaser snapshot
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --snapshot --clean --skip=publish,docker
+
+      - name: Verify cask was generated
+        run: |
+          echo "Checking for generated cask..."
+          ls -la dist/homebrew/Casks/
+          test -f dist/homebrew/Casks/dsops.rb || (echo "Cask not generated" && exit 1)
+          echo "Generated cask contents:"
+          cat dist/homebrew/Casks/dsops.rb
+
+      - name: Audit generated cask
+        run: |
+          # Create a local tap with the generated cask
+          # (brew audit requires a tap name, not a file path)
+          TAP_PATH="$(brew --repository)/Library/Taps/local/homebrew-dsops-test"
+          mkdir -p "$TAP_PATH/Casks"
+          cp dist/homebrew/Casks/dsops.rb "$TAP_PATH/Casks/"
+
+          # Run brew audit on the cask by tap name
+          # Skip checks that fail for snapshot builds (URLs don't exist yet)
+          brew audit --cask "local/dsops-test/dsops" \
+            --except=cask_checksum_mismatch \
+            --except=cask_download_url_not_found \
+            --except=cask_download_url
+          echo "Homebrew cask audit passed!"

.goreleaser.yml

@@ -98,9 +98,6 @@ homebrew_casks:
     homepage: "https://github.com/systmms/dsops"
     description: "Secret management for development and production environments"
     skip_upload: auto  # Skip for pre-releases
-    # URL verification for homebrew audit
-    url:
-      verified: github.com/systmms/dsops
     # Shell completions
     completions:
       bash: "completions/dsops.bash"

flake.nix

@@ -34,6 +34,7 @@
             # Build tools
             gnumake
             git
+            # goreleaser installed via go install for latest version (see shellHook)
 
             # Provider CLI tools for integration (install separately if needed)
             # _1password-cli
@@ -86,6 +87,11 @@
               go install golang.org/x/vuln/cmd/govulncheck@latest
             fi
 
+            if ! command -v goreleaser &> /dev/null; then
+              echo "📦 Installing goreleaser..."
+              go install github.com/goreleaser/goreleaser/v2@latest
+            fi
+
             echo "🔐 dsops development environment activated"
             echo ""
             echo "Available commands:"

lefthook.yml

@@ -10,3 +10,7 @@ pre-commit:
     mod-tidy-check:
       glob: "{**/*.go,go.mod,go.sum}"
       run: make mod-tidy-check
+    goreleaser-check:
+      glob: ".goreleaser.yml"
+      run: goreleaser check
+      fail_text: "GoReleaser config validation failed"

specs/020-release-distribution/contracts/goreleaser.yaml

@@ -99,9 +99,6 @@ homebrew_casks:
     homepage: "https://github.com/systmms/dsops"
     description: "Secret management for development and production environments"
     skip_upload: auto  # Skip for pre-releases
-    # URL verification for homebrew audit
-    url:
-      verified: github.com/systmms/dsops
     # Shell completions
     completions:
       bash: "completions/dsops.bash"