PR Custody

PRPR Custody

ci: add bump-homebrew-tap workflow

@sarahsimionescuchecks n/achecks…sarah/bump-homebrew-tap → next2 files · +220 −0review: @jkomynoupdated 1mo ago

GitHub

▸Description· 2 comments · 1 noise

Summary

New workflow that auto-bumps the Homebrew formula in ComposioHQ/homebrew-tap whenever a stable CLI release is published.
Triggers on release: published for tags matching @composio/cli@*. Skips beta/rc/alpha tags. Also exposes workflow_dispatch for manual replay.
Pulls SHA256s from the release's checksums.txt, edits Formula/composio.rb in the tap repo, and commits/pushes (no-op if already current).

Setup required before this can run

Create a fine-grained PAT scoped to ComposioHQ/homebrew-tap only, with Contents: read/write.
Add it as a repo secret named HOMEBREW_TAP_TOKEN in this repo.

Without that secret the checkout step will fail; the workflow won't break anything else.

Test plan

Land this PR
Add HOMEBREW_TAP_TOKEN secret
Manually run via workflow_dispatch with tag @composio/cli@0.2.28 — should be a no-op (formula already at 0.2.28)
Verify next CLI release auto-bumps the formula

@sarahsimionescu1mo ago

(from sarah's claude)

Thanks for the review @jkomyno — accepted all six in f427a94. Summary:

#	Finding	Resolution
1	`version` re.sub replacement-string injection	Lambda replacement in extracted script
2	`tag` re.sub replacement-string injection	Lambda replacement in extracted script
3	Concurrent releases racing on tap push	`concurrency: { group: bump-homebrew-tap, cancel-in-progress: false }`
4	`grep	pipefail` swallowing the clearer error
5	Filename convention	Renamed to `cli.bump-homebrew-tap.yml`
6	Extract Python heredoc	New `.github/scripts/bump-homebrew-formula.py`, executable, locally testable

Verified the extracted script locally before pushing:

Happy path: produces an identical diff to the inlined version (version + 4 URLs + 4 SHAs all bump correctly).
Injection defense: ran the script with TAG='@composio/cli@1.0.0\g<1>' — \g<1> is written literally to the formula instead of being interpreted as capture-group 1. Defense confirmed.
Also added an unexpected-edit-count guard (n_ver != 1 or n_url == 0 or n_sha == 0) so a malformed formula fails loudly instead of silently no-op'ing.

Ready for another look when you have a moment.

@sarahsimionescu1mo ago

(from sarah's claude)

Good catch @cursor — confirmed real bug introduced by the heredoc extraction. When the Python was inline, no source-repo checkout was needed; after extracting to `.github/scripts/bump-homebrew-formula.py` I forgot to add one. Fixed in f921eb9 with an `actions/checkout@v4` step before the tap checkout (tap uses `path: tap` so no collision).

Still waiting on @jkomyno for re-review of the original six.

▸ 1 bot/status comment hidden

@vercel[bot]1mo ago

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 14, 2026 0:54am

loading diff…

@sarahsimionescu1mo ago

(from sarah's claude)

Thanks for the review @jkomyno — accepted all six in f427a94. Summary:

#	Finding	Resolution
1	`version` re.sub replacement-string injection	Lambda replacement in extracted script
2	`tag` re.sub replacement-string injection	Lambda replacement in extracted script
3	Concurrent releases racing on tap push	`concurrency: { group: bump-homebrew-tap, cancel-in-progress: false }`
4	`grep	pipefail` swallowing the clearer error
5	Filename convention	Renamed to `cli.bump-homebrew-tap.yml`
6	Extract Python heredoc	New `.github/scripts/bump-homebrew-formula.py`, executable, locally testable

Verified the extracted script locally before pushing:

Happy path: produces an identical diff to the inlined version (version + 4 URLs + 4 SHAs all bump correctly).
Injection defense: ran the script with TAG='@composio/cli@1.0.0\g<1>' — \g<1> is written literally to the formula instead of being interpreted as capture-group 1. Defense confirmed.
Also added an unexpected-edit-count guard (n_ver != 1 or n_url == 0 or n_sha == 0) so a malformed formula fails loudly instead of silently no-op'ing.

Ready for another look when you have a moment.