fix(release): generate audit-clean Homebrew formula (#134)

The generated formula failed `brew audit --strict` with 5 problems: `version` declared after `license`, and `url`/`sha256` placed directly inside `on_macos`/`on_linux` (forbidden by FormulaAudit/ComponentsOrder). Order `version` before `license`, hoist `head`/`livecheck` above the platform blocks, and nest `url`/`sha256` in `on_arm`/`on_intel`. Add a `brew audit --strict --online` gate to the release workflow so a malformed formula can never be published again. Verified clean against v0.6.0. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 01:35:18 +02:00 · 2026-06-01 12:56:21 +01:00 · 2026-06-01 12:56:21 +01:00 · fab105bcce
commit fab105bcce
parent 353c0c876a
2 changed files with 27 additions and 13 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -121,6 +121,17 @@ jobs:
        run: |
          ./scripts/update-homebrew-formula.sh "${GITHUB_REF_NAME}" homebrew-tap/Formula/omnigraph.rb

+      - name: Audit generated formula
+        if: env.HOMEBREW_TAP_SKIP != '1'
+        run: |
+          # Audit the checked-out tap by name (brew audit rejects bare paths
+          # and needs tap context). Symlink the checkout into Homebrew's Taps
+          # tree so `modernrelay/tap/omnigraph` resolves to it.
+          tap_dir="$(brew --repository)/Library/Taps/modernrelay/homebrew-tap"
+          mkdir -p "$(dirname "$tap_dir")"
+          ln -sfn "$PWD/homebrew-tap" "$tap_dir"
+          brew audit --strict --online modernrelay/tap/omnigraph
+
      - name: Commit and push formula update
        if: env.HOMEBREW_TAP_SKIP != '1'
        working-directory: homebrew-tap
--- a/scripts/update-homebrew-formula.sh
+++ b/scripts/update-homebrew-formula.sh
@ -64,20 +64,8 @@ cat >"$FORMULA_PATH" <<EOF
 class Omnigraph < Formula
  desc "Typed property graph database with Git-style workflows"
  homepage "https://github.com/${REPO_SLUG}"
-  license "MIT"
  version "${VERSION}"
-
-  on_macos do
-    depends_on arch: :arm64
-    url "${MACOS_ARM_URL}"
-    sha256 "${MACOS_ARM_SHA}"
-  end
-
-  on_linux do
-    url "${LINUX_X86_URL}"
-    sha256 "${LINUX_X86_SHA}"
-  end
-
+  license "MIT"
  head "https://github.com/${REPO_SLUG}.git", branch: "main"

  livecheck do
@ -85,6 +73,21 @@ class Omnigraph < Formula
    regex(/^v?(\\d+(?:\\.\\d+)+)$/i)
  end

+  on_macos do
+    depends_on arch: :arm64
+    on_arm do
+      url "${MACOS_ARM_URL}"
+      sha256 "${MACOS_ARM_SHA}"
+    end
+  end
+
+  on_linux do
+    on_intel do
+      url "${LINUX_X86_URL}"
+      sha256 "${LINUX_X86_SHA}"
+    end
+  end
+
  def install
    bin.install "omnigraph", "omnigraph-server"
  end