fix(ci): chain Homebrew formula bump into release-cli pipeline#4826
Conversation
The bump-homebrew workflow triggered on `release: published`, but since v0.2.11 dropped --draft the CLI release auto-publishes via GITHUB_TOKEN — and GitHub does not fire workflow triggers for GITHUB_TOKEN-generated events. So the formula bump never ran and the tap stuck at 0.2.7 while the CLI shipped through 0.2.19. Convert bump-homebrew.yml to a reusable workflow (workflow_call + workflow_dispatch, tag input) and call it as a needs:release job from release-cli.yml, so the bump runs in the same workflow run.
|
Capy auto-review is paused for this organization because the monthly auto-review limit has been reached. Increase the limit or turn it off in billing settings to resume automatic reviews. |
|
Ready to review this PR? Stage has broken it down into 2 individual chapters for you:
Chapters generated by Stage for commit b0b88eb on May 22, 2026 12:05am UTC. |
📝 WalkthroughWalkthroughThe PR refactors the Homebrew formula update workflow from a release event listener into a reusable workflow. The bump-homebrew workflow is updated to accept a required ChangesReusable Homebrew workflow integration
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-cli.yml:
- Around line 5-7: Update the comment referencing workflow_dispatch to
accurately state that manual dispatch does not trigger the full pipeline;
clarify that workflow_dispatch only runs the build step because the release and
bump-homebrew jobs are gated to tag pushes (refs/tags/cli-v*). Edit the comment
mentioning workflow_dispatch so it explains it is a manual build-only escape
hatch for testing and not a way to run the release or bump-homebrew jobs.
- Line 95: Replace the broad "secrets: inherit" on the reusable workflow call
with a least-privilege secrets mapping that passes only the HOMEBREW_TAP_TOKEN
to the called workflow; find the reusable workflow invocation where "secrets:
inherit" appears and change it to explicitly map HOMEBREW_TAP_TOKEN from the
caller's secrets so no other secrets are forwarded.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 41de7f75-4746-4201-a014-3610a2e7368f
📒 Files selected for processing (2)
.github/workflows/bump-homebrew.yml.github/workflows/release-cli.yml
| # Homebrew formula. workflow_dispatch is the manual escape hatch for testing | ||
| # the full pipeline without cutting a tag (the release job is gated to tag | ||
| # pushes only). |
There was a problem hiding this comment.
Adjust the workflow_dispatch comment to match behavior.
Lines 5-7 say manual dispatch tests the “full pipeline,” but release and bump-homebrew are both gated to refs/tags/cli-v*, so dispatch currently runs build-only.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-cli.yml around lines 5 - 7, Update the comment
referencing workflow_dispatch to accurately state that manual dispatch does not
trigger the full pipeline; clarify that workflow_dispatch only runs the build
step because the release and bump-homebrew jobs are gated to tag pushes
(refs/tags/cli-v*). Edit the comment mentioning workflow_dispatch so it explains
it is a manual build-only escape hatch for testing and not a way to run the
release or bump-homebrew jobs.
| uses: ./.github/workflows/bump-homebrew.yml | ||
| with: | ||
| tag: ${{ github.ref_name }} | ||
| secrets: inherit |
There was a problem hiding this comment.
Narrow secret scope for the reusable workflow call.
Line 95 inherits all available secrets into the called workflow. Pass only HOMEBREW_TAP_TOKEN to reduce blast radius.
🔐 Proposed least-privilege change
# .github/workflows/release-cli.yml
bump-homebrew:
@@
- secrets: inherit
+ secrets:
+ HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}# .github/workflows/bump-homebrew.yml
on:
workflow_call:
inputs:
tag:
description: "CLI release tag (cli-v<semver>)"
required: true
type: string
+ secrets:
+ HOMEBREW_TAP_TOKEN:
+ required: true🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-cli.yml at line 95, Replace the broad "secrets:
inherit" on the reusable workflow call with a least-privilege secrets mapping
that passes only the HOMEBREW_TAP_TOKEN to the called workflow; find the
reusable workflow invocation where "secrets: inherit" appears and change it to
explicitly map HOMEBREW_TAP_TOKEN from the caller's secrets so no other secrets
are forwarded.
Greptile SummaryThis PR fixes a long-standing Homebrew formula staleness bug by converting
Confidence Score: 5/5Safe to merge — the change is a targeted wiring fix with no logic alterations to the build, release, or formula-rendering steps. The root cause is well-diagnosed and the fix is minimal: No files require special attention.
|
| Filename | Overview |
|---|---|
| .github/workflows/bump-homebrew.yml | Converted from release: published event-driven workflow to a reusable workflow_call/workflow_dispatch workflow; tag validation, SHA computation, formula rendering, and push logic are unchanged. |
| .github/workflows/release-cli.yml | Adds bump-homebrew job chained via needs: release, correctly gated with if: startsWith(github.ref, 'refs/tags/cli-v') so it is skipped on workflow_dispatch test runs. |
Sequence Diagram
sequenceDiagram
participant GitPush as git push cli-v*
participant ReleaseCLI as release-cli.yml
participant Build as build (build-cli.yml)
participant Release as release job
participant GitHub as GitHub Releases
participant BumpHB as bump-homebrew job
participant BumpWF as bump-homebrew.yml (reusable)
participant Tap as superset-sh/homebrew-tap
GitPush->>ReleaseCLI: "push: tags cli-v*"
ReleaseCLI->>Build: trigger build matrix
Build-->>Release: artifacts ready
Release->>GitHub: gh release create (tarballs)
GitHub-->>Release: release published
Release-->>BumpHB: needs: release ✅
BumpHB->>BumpWF: workflow_call (tag input)
BumpWF->>GitHub: curl download tarballs + SHA256
BumpWF->>Tap: checkout via HOMEBREW_TAP_TOKEN
BumpWF->>Tap: "render & push superset.rb"
Note over BumpWF: workflow_dispatch also available for manual re-bump
Reviews (1): Last reviewed commit: "fix(ci): chain homebrew bump into releas..." | Re-trigger Greptile
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
🧹 Preview Cleanup CompleteThe following preview resources have been cleaned up:
Thank you for your contribution! 🎉 |
Non-applicable to current fork structure: superset-sh#3960 and superset-sh#4068 require linux-arm64/full CLI dist targets that this fork does not ship; superset-sh#4678 targets a relay deploy script intentionally absent from the fork; superset-sh#4694 requires DuckDB native packaging but the fork has no DuckDB runtime dependency; superset-sh#4822 targets removed v1 import modal paths; superset-sh#4826 assumes upstream release-cli.yml while this fork uses build-cli.yml with draft release semantics.
1 participant
Problem
The Homebrew tap formula has been stuck at 0.2.7 while the CLI shipped through 0.2.19 —
brew install supersetgives users a months-old build.bump-homebrew.ymltriggered onon: release: [published]. But the v0.2.11 commit (0fcec53ff) dropped--draftfromrelease-cli.ymlso the per-version release auto-publishes. The catch: that publish now happens via the workflow'sGITHUB_TOKEN, and GitHub deliberately does not fire workflow triggers for events generated byGITHUB_TOKEN(anti-recursion safeguard; onlyworkflow_dispatch/repository_dispatchare exempt).Timeline that matches the symptom exactly:
--draft, published manually in the UI → humanpublishedevent → bump ran ✅--draft, never manually published → sat as drafts → no event → no bump--draftdropped, auto-published byGITHUB_TOKEN→ trigger suppressed → no bump ❌(Corroboration:
desktop-v*releases still firebump-homebrew— it runs and skips on the tag filter — because desktop keeps--draftand is published by a human.)Fix
Stop depending on the cross-workflow
release: publishedevent entirely:bump-homebrew.yml→ reusable workflow (workflow_call+workflow_dispatch, validatedtaginput). Render/SHA/push logic unchanged.release-cli.yml→ calls it as aneeds: releasejob (uses:+secrets: inherit), so the bump runs in the same workflow run. Deterministic, immune to theGITHUB_TOKENrule.workflow_dispatchalso lets anyone re-bump a specific tag by hand.Out of band
The tap was already manually bumped to 0.2.19 (
superset-sh/homebrew-tap@b7823a2) so brew users are unstuck today. This PR prevents the drift from recurring.Summary by cubic
Chains the Homebrew formula bump into the
release-cliworkflow so everycli-v*release updates the tap. Removes reliance onrelease: published, which doesn’t fire forGITHUB_TOKENreleases..github/workflows/bump-homebrew.ymlto a reusable workflow withworkflow_callandworkflow_dispatch(taginput)..github/workflows/release-cli.ymlas aneeds: releasejob withsecrets: inherit, ensuring the bump runs after assets publish.workflow_dispatchto re-bump any tag when needed.Written for commit b0b88eb. Summary will update on new commits. Review in cubic
Summary by CodeRabbit