Skip to content

Switch Homebrew tap to a source-build formula#8

Open
kshahbw wants to merge 1 commit intomainfrom
feat/source-build-formula
Open

Switch Homebrew tap to a source-build formula#8
kshahbw wants to merge 1 commit intomainfrom
feat/source-build-formula

Conversation

@kshahbw
Copy link
Copy Markdown
Contributor

@kshahbw kshahbw commented May 4, 2026

Summary

The current brews: block in goreleaser emits a Homebrew formula that downloads the pre-built binary tarball and bin.installs it. Three things wrong with that long-term:

  1. brew audit --strict keeps tripping on the redundant version field goreleaser hardcodes. Hand-edited around it twice on past releases (266a39f8, 032387d2 in the tap), neither survived the next goreleaser run.
  2. brews: is being phased out in goreleaser (target removal: v3, no announced date) — eventually we'd have to migrate anyway.
  3. The next obvious move (Cask) introduces Gatekeeper concerns that need signing+notarization to fully solve. Real engineering work just to dodge a UX regression.

Source-build matches what gh, glab, fly, and the rest of the Go CLI ecosystem actually do.

Validated locally with the formula against v0.1.0-beta's GitHub source archive:

Check Result
brew audit --strict ✅ Passes clean
brew install time ~22s (6s actual go build)
band version 0.1.0-beta (ldflag injection works)
Quarantine xattr ✅ None — no Gatekeeper involvement
Final binary size 8.8 MB (same as before)

Changes

  • Drop brews: block from .goreleaser.yml. Goreleaser still produces tarballs for direct GitHub downloads — that part stays.
  • Add a bump-formula job to the release workflow that runs after release and uses mislav/bump-homebrew-formula-action to open a PR on Bandwidth/homebrew-tap updating url and sha256 to the new tag's source archive.
  • Companion change is on the tap's feat/source-build-formula branch — replaces Formula/band.rb with the source-build version.

User-facing impact

Same install command (brew install bandwidth/tap/band), same brew upgrade band flow. First-install time goes from ~5s to ~22s if the user doesn't already have Go (brew auto-installs it as a build dep). For an engineer audience this is a non-event.

No more Gatekeeper concerns on any user's machine, no signing infrastructure needed.

Test plan

  • Merge tap PR first so the source-build formula is on tap main
  • Merge this PR
  • Cut a new tag (e.g. v0.1.1-beta) — release workflow runs, opens an auto-PR on the tap with bumped url + sha256
  • Verify tap PR audit passes strict
  • Merge tap PR, verify brew upgrade band works on a clean machine

@kshahbw
Switch Homebrew tap to a source-build formula
f74a206 
The current goreleaser brews block emits a formula that downloads
the pre-built binary tarball and bin.installs it. Three things wrong
with that long-term: brew audit --strict trips on the redundant
version field goreleaser hardcodes, brews itself is being phased out
in goreleaser v3, and the next obvious move (Cask) introduces
Gatekeeper concerns that need signing+notarization to fully solve.

Source-build matches what gh, glab, fly, and the rest of the Go CLI
ecosystem actually do. Validated locally: brew audit --strict passes
clean, install completes in ~22s on a stock machine (6s of which is
the actual go build), no quarantine xattr is set so Gatekeeper never
gets involved, and the version is still injected via the same -X
ldflag we use today.

Drop the brews block from goreleaser (still produces tarballs for
direct downloads). Replace it with a follow-up bump-formula job that
runs after release and uses mislav/bump-homebrew-formula-action to
open a PR on the tap updating url + sha256 to the new tag's GitHub-
generated source archive.

Tap-side companion change replaces Formula/band.rb with the source-
build formula and is on a separate branch in Bandwidth/homebrew-tap.
@kshahbw kshahbw requested review from a team as code owners May 4, 2026 19:05
@bwappsec
Copy link
Copy Markdown

bwappsec commented May 4, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kshahbw @bwappsec