Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump Homebrew formula on new release #64

Merged
merged 3 commits into from
Dec 28, 2020

Conversation

vladimyr
Copy link
Contributor

Which issue does this fix?

It addresses concerns from #63 (review)

Describe the solution

Automatically sends PR to homebrew-core repo on every new release. 🎉

@jacobdeichert
Copy link
Owner

Hey @vladimyr this PR looks very helpful!

However, after looking at mislav/bump-homebrew-formula-action, I'm a bit concerned about this:

You should enable GITHUB_TOKEN only if the repository that runs this Action is private and if COMMITTER_TOKEN has the public_repo scope only. GITHUB_TOKEN will be used for verifying the SHA256 sum of the downloadable archive for this release.

In their documentation, it seems that this is required:

env:
          COMMITTER_TOKEN: ${{ secrets.COMMITTER_TOKEN }}
          # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}    # optional i guess?

Anyway, have you used this action successfully before? Any idea why GITHUB_TOKEN is only recommended for private repos? When searching GitHub for GITHUB_TOKEN, it's in many public repositories... so I'm a bit confused here.

If you're unsure, maybe I should post an issue over there to figure out why.

@vladimyr
Copy link
Contributor Author

Anyway, have you used this action successfully before?

If you count https://github.com/starship/starship releases as my fault then the answer is yes 😄

Any idea why GITHUB_TOKEN is only recommended for private repos? When searching GitHub for GITHUB_TOKEN, it's in many public repositories... so I'm a bit confused here.

That's just naming, for example, starship calls it HOMEBREW_API_TOKEN: https://github.com/starship/starship/blob/35a0a20f5c4fea6a08e1b91ff631b089eef8fc50/.github/workflows/deploy.yml#L26-L34
People usually name any Github API token as GITHUB_TOKEN. Here is what is important to understand. This action has 2 inputs, one is optional. The first is used for creating pull requests in the Homebrew repo and the second is optionally used in case software, it is bumping formula for, lives in the private repo so action itself could actually access it. Former is named COMITTER_TOKEN later is GITHUB_TOKEN. But those are just parameter names, you may as well call them FOO & BAR inside your secrets config 🙃
Because mask lives in the public repo you only need commiter token and I used the Github token that was already in use inside that workflow → GITHUB_TOKEN. Does this answer your concerns?

@jacobdeichert
Copy link
Owner

@vladimyr thanks for describing this process! That clears things up a lot.

Next time I prep a release, I'll aim to get this PR merged and see how it goes :)

@jacobdeichert jacobdeichert merged commit b84788a into jacobdeichert:master Dec 28, 2020
@vladimyr vladimyr deleted the bump-homebrew-formula branch December 28, 2020 06:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants