Skip to content

fix(ci): harden package-homebrew version extraction and SHA validation#96

Merged
zircote merged 2 commits intofix/homebrew-workflow-racefrom
copilot/sub-pr-95
Feb 22, 2026
Merged

fix(ci): harden package-homebrew version extraction and SHA validation#96
zircote merged 2 commits intofix/homebrew-workflow-racefrom
copilot/sub-pr-95

Conversation

Copy link
Contributor

Copilot AI commented Feb 22, 2026
edited
Loading

package-homebrew.yml had two gaps left from the workflow_run migration: version extraction silently accepted any head_branch value (including non-tag branch names), and the SHA uniqueness guard only covered the three binary assets, leaving completions, man pages, and source tarball downloads unchecked for 404 collisions.

Changes

  • Version validation — both trigger paths now enforce semver format via grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+...':
    • workflow_run: exits with a descriptive error if head_branch isn't a vX.Y.Z tag ref
    • workflow_dispatch: strips an optional leading v, then validates the remainder before proceeding
  • Expanded SHA uniqueness guard — check now covers all 6 assets (ARM64, AMD64, Linux, completions, man pages, source tarball); threshold raised from 3 → 6 unique values
  • Robust unique-count — replaced wc -l with grep -c . to avoid off-by-one when sort -u output lacks a trailing newline
# Before: silently used branch name as version
VERSION="${RUN_HEAD_BRANCH#v}"

# After: validates tag format first
if printf '%s\n' "$RUN_HEAD_BRANCH" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+([0-9A-Za-z.+-]*)?$'; then
  VERSION="${RUN_HEAD_BRANCH#v}"
else
  echo "Error: workflow_run triggered from non-tag ref '$RUN_HEAD_BRANCH'." >&2
  exit 1
fi

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Feb 22, 2026
Merged
3 tasks
@zircote
fix(ci): apply review feedback to package-homebrew.yml
0ac9be8 
- Add semver validation for workflow_run (tag ref check) and
  workflow_dispatch (input format check) version extraction
- Expand SHA uniqueness guard from 3 binary assets to all 6 assets
  (ARM64, AMD64, Linux, completions, man pages, source tarball)
- Replace wc -l with grep -c . for robust unique-SHA counting

Co-authored-by: zircote <307960+zircote@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CI workflow run trigger for Homebrew packaging fix(ci): harden package-homebrew version extraction and SHA validation Feb 22, 2026
Copilot AI requested a review from zircote February 22, 2026 22:08
@zircote zircote marked this pull request as ready for review February 22, 2026 23:39
Copilot AI review requested due to automatic review settings February 22, 2026 23:39
@zircote zircote merged commit 0d0360d into fix/homebrew-workflow-race Feb 22, 2026
@zircote zircote deleted the copilot/sub-pr-95 branch February 22, 2026 23:39
Copilot AI reviewed Feb 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the package-homebrew.yml workflow by adding validation to prevent silent failures when triggered with invalid version references, and expands asset integrity checks to cover all downloaded artifacts.

Changes:

  • Added semver format validation for both workflow_run (tag-based) and workflow_dispatch (manual input) trigger paths
  • Expanded SHA256 uniqueness verification from 3 binary assets to all 6 downloaded assets (binaries, completions, man pages, source tarball)
  • Improved SHA counting robustness by replacing wc -l with grep -c . to avoid off-by-one errors

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zircote zircote Awaiting requested review from zircote

Assignees

@zircote zircote

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zircote