release: remove debug job, gate brew upload on HOMEBREW_TAP_TOKEN

- debug job served its purpose (proved workflow_run fires correctly) and is gone - restore the [skip-release] guard - brews.skip_upload is now a go-template that evaluates to true when HOMEBREW_TAP_TOKEN is empty, so tag pushes before the tap is created don't fail the whole release (v0.0.1 cut fine but the goreleaser exit code was 1 because the brew step 401'd)
2026-06-26 21:36:31 +02:00 · 2026-04-18 11:21:32 +02:00 · 2026-04-18 11:21:32 +02:00 · 4d847ec633
commit 4d847ec633
parent 75aa6d4771
2 changed files with 12 additions and 28 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -30,28 +30,10 @@ concurrency:
  cancel-in-progress: false

 jobs:
-  debug:
-    # One-shot diagnostic job with no if-filter: dumps the full
-    # workflow_run context so we can see what fields are actually
-    # populated on the webhook payload. Remove once the release job
-    # starts firing reliably.
-    runs-on: ubuntu-latest
-    steps:
-      - name: dump workflow_run
-        env:
-          WR: ${{ toJSON(github.event.workflow_run) }}
-        run: |
-          echo "conclusion: ${{ github.event.workflow_run.conclusion }}"
-          echo "head_branch: ${{ github.event.workflow_run.head_branch }}"
-          echo "head_sha: ${{ github.event.workflow_run.head_sha }}"
-          echo "---"
-          printenv WR | head -c 2000
-
  release:
-    needs: debug
    # Only run when ci succeeded and we're on main, and when the head
    # commit doesn't opt out via [skip-release].
-    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main' }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main' && !contains(github.event.workflow_run.head_commit.message, '[skip-release]') }}
    runs-on: ubuntu-latest
    steps:
      - name: checkout
@ -113,7 +95,8 @@ jobs:
          # goreleaser reads the tag we just pushed and builds binaries
          # for every (goos, goarch) combination in .goreleaser.yaml.
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Optional: PAT with `repo` scope for patriceckhart/homebrew-tap
-          # so we can push a Formula/zot.rb update on every release.
-          # If unset, goreleaser skips the brew step (skip_upload: auto).
-          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          # Optional PAT with `repo` scope for patriceckhart/homebrew-tap.
+          # Always exported (as empty string when the secret is unset)
+          # so the goreleaser template that gates the brew upload on
+          # this value can evaluate without errors.
+          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN || '' }}
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -102,8 +102,9 @@ release:
 # Optional: publish a Homebrew formula to a tap repo on every release.
 # Requires the tap repo to exist at github.com/patriceckhart/homebrew-tap
 # and a PAT with `repo` scope exported as `HOMEBREW_TAP_TOKEN` in the
-# release workflow. Safe to leave enabled even before the tap exists;
-# goreleaser skips it when the token isn't set.
+# release workflow. The skip_upload expression disables the step when
+# the token isn't set, so tag pushes before the tap is created don't
+# fail the whole release.
 brews:
  - repository:
      owner: patriceckhart
@ -117,6 +118,6 @@ brews:
      bin.install "zot"
    test: |
      system "#{bin}/zot", "--help"
-    # Only publish the formula when the token is actually set, so
-    # ordinary tag pushes from forks don't explode.
-    skip_upload: auto
+    # Skip the formula upload when HOMEBREW_TAP_TOKEN is empty. Auto
+    # only skips for prereleases/snapshots, which isn't what we want.
+    skip_upload: '{{ if eq .Env.HOMEBREW_TAP_TOKEN "" }}true{{ else }}false{{ end }}'