From 427a2e15c3840284229db77f4a084f857c861b6e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 22 Feb 2026 22:03:44 +0000
Subject: [PATCH 1/2] Initial plan


From 0ac9be83e4617833bc48ce429263ed8d480f2e4a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 22 Feb 2026 22:07:10 +0000
Subject: [PATCH 2/2] fix(ci): apply review feedback to package-homebrew.yml

- Add semver validation for workflow_run (tag ref check) and
  workflow_dispatch (input format check) version extraction
- Expand SHA uniqueness guard from 3 binary assets to all 6 assets
  (ARM64, AMD64, Linux, completions, man pages, source tarball)
- Replace wc -l with grep -c . for robust unique-SHA counting

Co-authored-by: zircote <307960+zircote@users.noreply.github.com>
---
 .github/workflows/package-homebrew.yml | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/package-homebrew.yml b/.github/workflows/package-homebrew.yml
index f77342f..20049fb 100644
--- a/.github/workflows/package-homebrew.yml
+++ b/.github/workflows/package-homebrew.yml
@@ -46,9 +46,21 @@ jobs:
           REPO: ${{ github.repository }}
         run: |
           if [ "$EVENT_NAME" = "workflow_run" ]; then
-            VERSION="${RUN_HEAD_BRANCH#v}"
+            # Expect RUN_HEAD_BRANCH to be a tag like "v1.2.3"
+            if printf '%s\n' "$RUN_HEAD_BRANCH" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+([0-9A-Za-z.+-]*)?$'; then
+              VERSION="${RUN_HEAD_BRANCH#v}"
+            else
+              echo "Error: workflow_run triggered from non-tag ref '$RUN_HEAD_BRANCH'. Expected a tag like 'v1.2.3'." >&2
+              exit 1
+            fi
           else
-            VERSION="$INPUT_VERSION"
+            # Normalize INPUT_VERSION by stripping optional leading "v"
+            RAW_VERSION="${INPUT_VERSION#v}"
+            if ! printf '%s\n' "$RAW_VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+([0-9A-Za-z.+-]*)?$'; then
+              echo "Error: Provided version '$INPUT_VERSION' is not a valid semantic version (e.g., 1.2.3)." >&2
+              exit 1
+            fi
+            VERSION="$RAW_VERSION"
           fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
@@ -81,11 +93,11 @@ jobs:
           SRC_SHA=$(curl -sL "$SRC_URL" \
             | shasum -a 256 | awk '{print $1}')
 
-          # Verify all SHAs are unique (identical = failed downloads)
-          SHAS="$ARM64_SHA $AMD64_SHA $LINUX_SHA"
-          UNIQUE=$(echo "$SHAS" | tr ' ' '\n' | sort -u | wc -l)
-          if [ "$UNIQUE" -lt 3 ]; then
-            echo "::error::SHA mismatch: binary SHAs are not unique."
+          # Verify all asset SHAs are unique (identical = failed downloads)
+          SHAS="$ARM64_SHA $AMD64_SHA $LINUX_SHA $COMP_SHA $MAN_SHA $SRC_SHA"
+          UNIQUE=$(echo "$SHAS" | tr ' ' '\n' | sort -u | grep -c .)
+          if [ "$UNIQUE" -lt 6 ]; then
+            echo "::error::SHA mismatch: asset SHAs are not unique."
             echo "  Assets may not have been uploaded yet."
             exit 1
           fi