use reproducible source archive as homebrew release source

2025-06-25 12:12:32 +02:00 · 2025-02-24 12:00:04 -05:00 · 2025-02-24 12:00:04 -05:00 · a258650dce
commit a258650dce
parent 83469b4892
2 changed files with 40 additions and 11 deletions
--- a/.github/workflows/homebrew.yml
+++ b/.github/workflows/homebrew.yml
@ -23,20 +23,42 @@ jobs:
            exit 1
          fi

-  update-brew:
+  brew_formula:
    needs: enforce_stable_semver
-    if: github.repository_owner == 'openziti'
-    runs-on: ubuntu-latest
+    if: github.repository_owner == 'openziti' || github.repository_owner == 'openziti-test-kitchen'
+    runs-on: ubuntu-24.04
    steps:
-      - name: Extract Version
-        id: extract-version
-        run: |
-          echo "tag-name=${GITHUB_REF#refs/tags/}" | tee -a ${GITHUB_OUTPUT}

-      - uses: mislav/bump-homebrew-formula-action@v3.1
-        if: ${{ !contains(github.ref, '-') }}
+      - name: Get Checksums File
+        shell: bash
+        run: |
+          curl -sSLf -o checksums.sha256.txt \
+            https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/checksums.sha256.txt
+
+      - name: Get Source Archive
+        shell: bash
+        run: |
+          curl -sSLf -o source.tar.gz \
+            https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz
+
+      - name: Verify Source Archive Checksum
+        shell: bash
+        run: |
+          shasum --algorithm 256 --ignore-missing --check checksums.sha256.txt
+
+      - name: Extract Source Archive Checksum
+        id: source
+        shell: bash
+        run: |
+          CHECKSUM=$(grep -E '\bsource\.tar\.gz$' checksums.sha256.txt | cut -d' ' -f1)
+          echo "sha256=${CHECKSUM}" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Upload Release Source Archive to Homebrew
+        uses: mislav/bump-homebrew-formula-action@v3.2
        with:
          formula-name: zrok
-          download-url: https://github.com/openziti/zrok/archive/refs/tags/${{ steps.extract-version.outputs.tag-name }}.tar.gz
+          download-url: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz
+          download-sha256: ${{ steps.source.outputs.sha256 }}
+          homebrew-tap: ${{ vars.ZROK_BREW_TAP || 'Homebrew/homebrew-core' }}
        env:
          COMMITTER_TOKEN: ${{ secrets.BREW_COMMITTER_TOKEN }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -269,6 +269,12 @@ jobs:
      - run: |
          mkdir -p ./automated-release-build

+      - name: Fetch Source Archive
+        shell: bash
+        run: |
+          curl -L -o ./automated-release-build/source.tar.gz \
+            https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }}
+
      - uses: actions/download-artifact@v4
        with:
          path: ./automated-release-build
@ -277,7 +283,8 @@ jobs:

      - run: |
          ls -lAR ./automated-release-build/
-          shasum ./automated-release-build/* > ./automated-release-build/checksums.txt
+          cd ./automated-release-build/
+          shasum --algorithm 256 ./* | tee ./checksums.sha256.txt

      - uses: goreleaser/goreleaser-action@v6
        with: