From 96dbe9dec00b41b68907708d7535437677d3fde7 Mon Sep 17 00:00:00 2001
From: Andrew Altshuler <andrew@collectivelab.io>
Date: Sat, 6 Jun 2026 00:44:48 +0300
Subject: [PATCH] fix(release): make Homebrew audit non-blocking + set up brew
 on runner (#140)

The v0.6.1 Release shipped binaries but the Homebrew tap update job died at
the audit step (brew not on the ubuntu runner; exit 127), skipping the formula
push so the tap stayed at 0.6.0.

- Install Homebrew via Homebrew/actions/setup-homebrew so brew is available.
- Make both the setup and audit steps continue-on-error: they are best-effort
  diagnostics (the formula is correct by construction via
  update-homebrew-formula.sh), so neither can skip the actual tap publish.
- Drop --online from brew audit for deterministic, network-independent linting.
---
 .github/workflows/release.yml | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3a66ff2..a265c40 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,16 +121,30 @@ jobs:
         run: |
           ./scripts/update-homebrew-formula.sh "${GITHUB_REF_NAME}" homebrew-tap/Formula/omnigraph.rb
 
+      # Diagnostic only: brew is not on PATH on the ubuntu runner by default, so
+      # set it up explicitly. Both this setup and the audit below are best-effort
+      # canaries, not gates — continue-on-error on each keeps a failed/flaky brew
+      # (the action is pinned to a moving @master ref) from skipping the actual
+      # tap publish below. The formula is correct by construction
+      # (update-homebrew-formula.sh), so brew tooling must never block the push.
+      - name: Set up Homebrew
+        if: env.HOMEBREW_TAP_SKIP != '1'
+        continue-on-error: true
+        uses: Homebrew/actions/setup-homebrew@master
+
       - name: Audit generated formula
         if: env.HOMEBREW_TAP_SKIP != '1'
+        continue-on-error: true
         run: |
           # Audit the checked-out tap by name (brew audit rejects bare paths
           # and needs tap context). Symlink the checkout into Homebrew's Taps
-          # tree so `modernrelay/tap/omnigraph` resolves to it.
+          # tree so `modernrelay/tap/omnigraph` resolves to it. Offline audit
+          # (no --online) keeps it deterministic; it still catches the
+          # ComponentsOrder/structure class of problems.
           tap_dir="$(brew --repository)/Library/Taps/modernrelay/homebrew-tap"
           mkdir -p "$(dirname "$tap_dir")"
           ln -sfn "$PWD/homebrew-tap" "$tap_dir"
-          brew audit --strict --online modernrelay/tap/omnigraph
+          brew audit --strict modernrelay/tap/omnigraph
 
       - name: Commit and push formula update
         if: env.HOMEBREW_TAP_SKIP != '1'