From 7878cf94f54fabed000699d665a777b095d80486 Mon Sep 17 00:00:00 2001 From: Raminder Singh Date: Wed, 22 Apr 2026 17:10:22 +0530 Subject: [PATCH 1/2] fix: generate short-lived token to create PRs in homebrew and scoop repos --- .../manual-release-brew-and-scoop.yaml | 6 ++--- .github/workflows/release-homebrew-tap.yaml | 22 ++++++++++++++----- .github/workflows/release-scoop-bucket.yaml | 19 +++++++++++----- 3 files changed, 31 insertions(+), 16 deletions(-) diff --git a/.github/workflows/manual-release-brew-and-scoop.yaml b/.github/workflows/manual-release-brew-and-scoop.yaml index 033de77f..871c2c65 100644 --- a/.github/workflows/manual-release-brew-and-scoop.yaml +++ b/.github/workflows/manual-release-brew-and-scoop.yaml @@ -15,12 +15,10 @@ jobs: uses: ./.github/workflows/release-homebrew-tap.yaml with: tag: ${{ github.event.inputs.tag }} - secrets: - homebrew_tap_rw: ${{ secrets.HOMEBREW_TAP_RW }} + secrets: inherit call-release-scoop-bucket: uses: ./.github/workflows/release-scoop-bucket.yaml with: tag: ${{ github.event.inputs.tag }} - secrets: - scoop_bucket_rw: ${{ secrets.SCOOP_BUCKET_RW }} + secrets: inherit diff --git a/.github/workflows/release-homebrew-tap.yaml b/.github/workflows/release-homebrew-tap.yaml index 65e7b24a..773ea072 100644 --- a/.github/workflows/release-homebrew-tap.yaml +++ b/.github/workflows/release-homebrew-tap.yaml @@ -6,9 +6,6 @@ on: tag: required: true type: string - secrets: - homebrew_tap_rw: - required: true permissions: contents: write @@ -17,12 +14,23 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: supabase + repositories: homebrew-tap + + - name: Checkout homebrew-tap repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: supabase/homebrew-tap ref: "main" - token: ${{ secrets.homebrew_tap_rw }} + token: ${{ steps.app-token.outputs.token }} fetch-depth: 0 + - name: Compute tag and version id: vars run: | @@ -30,6 +38,7 @@ jobs: echo "tag=${tag}" >> "$GITHUB_OUTPUT" # strip the leading v (if present) echo "version=${tag#v}" >> "$GITHUB_OUTPUT" + - name: Download Linux AMD64 package uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1 with: @@ -50,6 +59,7 @@ jobs: repository: "supabase/dbdev" tag: ${{ inputs.tag }} fileName: "dbdev-${{ inputs.tag }}-macos-arm64.tar.gz" + - name: Generate Manifest File run: | linux_amd64_hash=`shasum -a 256 dbdev-${{ inputs.tag }}-linux-amd64.tar.gz | cut -d" " -f1` @@ -115,7 +125,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: - token: ${{ secrets.homebrew_tap_rw }} + token: ${{ steps.app-token.outputs.token }} commit-message: "Release dbdev version v${{ steps.vars.outputs.version }}" title: "Release dbdev version v${{ steps.vars.outputs.version }}" body-path: PR_BODY.md diff --git a/.github/workflows/release-scoop-bucket.yaml b/.github/workflows/release-scoop-bucket.yaml index 626660fe..1e667ace 100644 --- a/.github/workflows/release-scoop-bucket.yaml +++ b/.github/workflows/release-scoop-bucket.yaml @@ -6,9 +6,6 @@ on: tag: required: true type: string - secrets: - scoop_bucket_rw: - required: true permissions: contents: write @@ -17,11 +14,21 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: supabase + repositories: scoop-bucket + + - name: Checkout scoop-bucket repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: supabase/scoop-bucket ref: "main" - token: ${{ secrets.scoop_bucket_rw }} + token: ${{ steps.app-token.outputs.token }} fetch-depth: 0 - name: Compute tag and version @@ -71,7 +78,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: - token: ${{ secrets.scoop_bucket_rw }} + token: ${{ steps.app-token.outputs.token }} commit-message: "Release dbdev version v${{ steps.vars.outputs.version }}" title: "Release dbdev version v${{ steps.vars.outputs.version }}" body-path: PR_BODY.md From 998fd302e7017a97ff7bd7d1c646f7f65aed789a Mon Sep 17 00:00:00 2001 From: Raminder Singh Date: Wed, 22 Apr 2026 17:15:38 +0530 Subject: [PATCH 2/2] feat: run homebrew and scoop release automatically on a tag push --- .github/workflows/release-cli.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/release-cli.yaml b/.github/workflows/release-cli.yaml index 4151b616..5a4d4aa0 100644 --- a/.github/workflows/release-cli.yaml +++ b/.github/workflows/release-cli.yaml @@ -186,3 +186,20 @@ jobs: asset_path: ./cli/target/release/dbdev.zip asset_name: dbdev-${{ github.ref_name }}-windows-amd64.zip asset_content_type: application/zip + + release-homebrew-tap: + needs: + - build-linux + - build-macos + uses: ./.github/workflows/release-homebrew-tap.yaml + with: + tag: ${{ github.ref_name }} + secrets: inherit + + release-scoop-bucket: + needs: + - build-windows + uses: ./.github/workflows/release-scoop-bucket.yaml + with: + tag: ${{ github.ref_name }} + secrets: inherit