From a258650dce0fd381a3edf20fd8c222aec3da1c64 Mon Sep 17 00:00:00 2001
From: Kenneth Bingham <kenneth.bingham@netfoundry.io>
Date: Mon, 24 Feb 2025 12:00:04 -0500
Subject: [PATCH] use reproducible source archive as homebrew release source

---
 .github/workflows/homebrew.yml | 42 ++++++++++++++++++++++++++--------
 .github/workflows/release.yml  |  9 +++++++-
 2 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml
index a1d1d994..f3bb7e8a 100644
--- a/.github/workflows/homebrew.yml
+++ b/.github/workflows/homebrew.yml
@@ -23,20 +23,42 @@ jobs:
             exit 1
           fi
 
-  update-brew:
+  brew_formula:
     needs: enforce_stable_semver
-    if: github.repository_owner == 'openziti'
-    runs-on: ubuntu-latest
+    if: github.repository_owner == 'openziti' || github.repository_owner == 'openziti-test-kitchen'
+    runs-on: ubuntu-24.04
     steps:
-      - name: Extract Version
-        id: extract-version
-        run: |
-          echo "tag-name=${GITHUB_REF#refs/tags/}" | tee -a ${GITHUB_OUTPUT}
 
-      - uses: mislav/bump-homebrew-formula-action@v3.1
-        if: ${{ !contains(github.ref, '-') }}
+      - name: Get Checksums File
+        shell: bash
+        run: |
+          curl -sSLf -o checksums.sha256.txt \
+            https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/checksums.sha256.txt
+
+      - name: Get Source Archive
+        shell: bash
+        run: |
+          curl -sSLf -o source.tar.gz \
+            https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz
+
+      - name: Verify Source Archive Checksum
+        shell: bash
+        run: |
+          shasum --algorithm 256 --ignore-missing --check checksums.sha256.txt
+
+      - name: Extract Source Archive Checksum
+        id: source
+        shell: bash
+        run: |
+          CHECKSUM=$(grep -E '\bsource\.tar\.gz$' checksums.sha256.txt | cut -d' ' -f1)
+          echo "sha256=${CHECKSUM}" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Upload Release Source Archive to Homebrew
+        uses: mislav/bump-homebrew-formula-action@v3.2
         with:
           formula-name: zrok
-          download-url: https://github.com/openziti/zrok/archive/refs/tags/${{ steps.extract-version.outputs.tag-name }}.tar.gz
+          download-url: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz
+          download-sha256: ${{ steps.source.outputs.sha256 }}
+          homebrew-tap: ${{ vars.ZROK_BREW_TAP || 'Homebrew/homebrew-core' }}
         env:
           COMMITTER_TOKEN: ${{ secrets.BREW_COMMITTER_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 11ddbe79..8ec9a3da 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -269,6 +269,12 @@ jobs:
       - run: |
           mkdir -p ./automated-release-build
 
+      - name: Fetch Source Archive
+        shell: bash
+        run: |
+          curl -L -o ./automated-release-build/source.tar.gz \
+            https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }}
+
       - uses: actions/download-artifact@v4
         with:
           path: ./automated-release-build
@@ -277,7 +283,8 @@ jobs:
 
       - run: |
           ls -lAR ./automated-release-build/
-          shasum ./automated-release-build/* > ./automated-release-build/checksums.txt
+          cd ./automated-release-build/
+          shasum --algorithm 256 ./* | tee ./checksums.sha256.txt
 
       - uses: goreleaser/goreleaser-action@v6
         with: