From 4d847ec6335d747449fe362aee2de0b983b0b74c Mon Sep 17 00:00:00 2001 From: patriceckhart Date: Sat, 18 Apr 2026 11:21:32 +0200 Subject: [PATCH] release: remove debug job, gate brew upload on HOMEBREW_TAP_TOKEN - debug job served its purpose (proved workflow_run fires correctly) and is gone - restore the [skip-release] guard - brews.skip_upload is now a go-template that evaluates to true when HOMEBREW_TAP_TOKEN is empty, so tag pushes before the tap is created don't fail the whole release (v0.0.1 cut fine but the goreleaser exit code was 1 because the brew step 401'd) --- .github/workflows/release.yml | 29 ++++++----------------------- .goreleaser.yaml | 11 ++++++----- 2 files changed, 12 insertions(+), 28 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 82f01a4..2cb9076 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,28 +30,10 @@ concurrency: cancel-in-progress: false jobs: - debug: - # One-shot diagnostic job with no if-filter: dumps the full - # workflow_run context so we can see what fields are actually - # populated on the webhook payload. Remove once the release job - # starts firing reliably. - runs-on: ubuntu-latest - steps: - - name: dump workflow_run - env: - WR: ${{ toJSON(github.event.workflow_run) }} - run: | - echo "conclusion: ${{ github.event.workflow_run.conclusion }}" - echo "head_branch: ${{ github.event.workflow_run.head_branch }}" - echo "head_sha: ${{ github.event.workflow_run.head_sha }}" - echo "---" - printenv WR | head -c 2000 - release: - needs: debug # Only run when ci succeeded and we're on main, and when the head # commit doesn't opt out via [skip-release]. - if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main' }} + if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main' && !contains(github.event.workflow_run.head_commit.message, '[skip-release]') }} runs-on: ubuntu-latest steps: - name: checkout @@ -113,7 +95,8 @@ jobs: # goreleaser reads the tag we just pushed and builds binaries # for every (goos, goarch) combination in .goreleaser.yaml. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Optional: PAT with `repo` scope for patriceckhart/homebrew-tap - # so we can push a Formula/zot.rb update on every release. - # If unset, goreleaser skips the brew step (skip_upload: auto). - HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} + # Optional PAT with `repo` scope for patriceckhart/homebrew-tap. + # Always exported (as empty string when the secret is unset) + # so the goreleaser template that gates the brew upload on + # this value can evaluate without errors. + HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN || '' }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 9d7ca24..84cf0cc 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -102,8 +102,9 @@ release: # Optional: publish a Homebrew formula to a tap repo on every release. # Requires the tap repo to exist at github.com/patriceckhart/homebrew-tap # and a PAT with `repo` scope exported as `HOMEBREW_TAP_TOKEN` in the -# release workflow. Safe to leave enabled even before the tap exists; -# goreleaser skips it when the token isn't set. +# release workflow. The skip_upload expression disables the step when +# the token isn't set, so tag pushes before the tap is created don't +# fail the whole release. brews: - repository: owner: patriceckhart @@ -117,6 +118,6 @@ brews: bin.install "zot" test: | system "#{bin}/zot", "--help" - # Only publish the formula when the token is actually set, so - # ordinary tag pushes from forks don't explode. - skip_upload: auto + # Skip the formula upload when HOMEBREW_TAP_TOKEN is empty. Auto + # only skips for prereleases/snapshots, which isn't what we want. + skip_upload: '{{ if eq .Env.HOMEBREW_TAP_TOKEN "" }}true{{ else }}false{{ end }}'