ci(release): remove obsolete Homebrew dispatch credential#2088
Conversation
The update-homebrew job sent a repository_dispatch to microsoft/homebrew-apm using a fine-grained PAT (GH_PKG_PAT). That token hit the enterprise policy forbidding PAT lifetimes > 8 days and deterministically broke the Homebrew step every release. The tap now self-updates via its own poll-upstream-release.yml: a daily job that reads the latest microsoft/apm release with the tap's built-in GITHUB_TOKEN and commits the formula bump directly -- no cross-repo trigger, no PAT, nothing to rotate. This removes the sender job entirely, retiring the push model. Note: GH_PKG_PAT remains referenced only by the update-scoop job, which is disabled (if: false), so the secret is not orphaned by this change. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Removes the now-unnecessary Homebrew tap dispatch job from the release workflow, since the microsoft/homebrew-apm tap is now responsible for polling upstream releases and updating itself.
Changes:
- Deleted the
update-homebrewjob (checksum download +repository_dispatchtomicrosoft/homebrew-apm). - Kept the existing (disabled)
update-scoopjob intact;GH_PKG_PATremains referenced only there.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/build-release.yml | Removes the Homebrew update dispatch job from the release pipeline. |
Review details
- Files reviewed: 1/1 changed files
- Comments generated: 0
- Review effort level: Low
Keep the release architecture and contributor guide aligned with the removal of the obsolete cross-repository dispatch. The tap now polls public releases using its repository-scoped GITHUB_TOKEN. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Record the updated managed CI/CD instruction hash so apm audit --ci verifies the release documentation mirror. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Execute a hermetic tap-update model against local release metadata and fail if the APM release workflow restores a Homebrew credential, repository dispatch, or PR-auth path. This addresses the review panel's empirical coverage and documentation follow-ups. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove the disabled Scoop dispatch that retained the same cross-repository PAT pattern and escape harness assignment keys. This folds the final auth, security, and architecture panel findings. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Keep the mirrored release architecture and managed instruction hash aligned after removing the disabled Scoop dispatch job. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Compile the formula assignment matcher explicitly and frame the changelog entry around release reliability, folding the final architecture and growth panel nits. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Narrow the auth-token guard to credential-shaped secrets, link the tap for operators, and describe the Homebrew outcome in user terms. This folds the last architecture and DevX panel findings. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Reject GH_PKG_PAT and repository-dispatch anywhere in the release workflow while limiting generic token checks to package-manager jobs. Remove duplicated contributor-guide prose surfaced by the terminal panel. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
APM Review Panel:
|
| Persona | B | R | N | Takeaway |
|---|---|---|---|---|
| Python Architect | 0 | 0 | 0 | The workflow removal and hermetic harness are appropriately scoped. |
| CLI Logging Expert | 0 | 0 | 0 | No CLI output or logging surface is changed. |
| DevX UX Expert | 0 | 0 | 0 | User-facing release wording and contributor guidance are aligned. |
| Supply Chain Security Expert | 0 | 0 | 0 | The cross-repository PAT and dispatch surface is removed. |
| OSS Growth Hacker | 0 | 0 | 0 | The changelog frames the change as a Homebrew reliability improvement. |
| Auth Expert | 0 | 0 | 0 | No GH_PKG_PAT or package-manager repository dispatch remains. |
| Doc Writer | 0 | 0 | 0 | Docs and PR body match the final implementation. |
| Test Coverage Expert | 0 | 0 | 0 | The integration proof and mutation-break guard cover the ownership boundary. |
B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.
Recommendation
All panel signals are green, the regression harness is committed and passing, and the credential surface is strictly reduced. Ship at maintainer convenience; no follow-ups are required.
Folded in this run
- (panel) Added a hermetic release-to-tap integration harness and committed regression test - resolved in
7a1d21d57. - (panel) Removed stale release-pipeline claims, added a changelog entry, and synchronized release instructions - resolved in
7a1d21d57. - (panel) Removed the dormant Scoop PAT dispatch and escaped the formula assignment matcher - resolved in
6cbf7cf42. - (panel) Aligned the PR body, user-facing changelog wording, tap link, and credential guard precision - resolved in
5216b5174. - (panel) Extended the guard across retired package-manager dispatch paths and removed duplicate docs prose - resolved in
1c6795532.
Regression-trap evidence (mutation-break gate)
tests/integration/test_release_homebrew_update.py::test_homebrew_update_commits_without_cross_repo_auth- restored anupdate-homebrewjob usingGH_PKG_PATandpeter-evans/repository-dispatch@v3; the test FAILED as expected; workflow restored.
Validation
uv run --extra dev pytest -q tests/integration/test_release_homebrew_update.py: 1 passed.actionlint -ignore 'SC2086' .github/workflows/build-release.yml: silent.uv run apm audit --ci: all 9 checks passed.- Canonical ruff, formatting, pylint R0801, and auth-signal lint chain: exit 0.
CI
Exact final SHA 1c67955325f49d7dc2b2ba8f937331489e0e991c: all checks passed, including Lint, both Linux test shards, Coverage Combine, CodeQL, Merge Gate, PR Binary Smoke, APM Self-Check, docs build, NOTICE drift, and CLA.
Mergeability status
| PR | head SHA | CEO stance | iters | folds | defers | Copilot rounds | CI | mergeable | mergeStateStatus | notes |
|---|---|---|---|---|---|---|---|---|---|---|
| #2088 | 1c67955 |
ship_now | 4 | 5 | 0 | 2 | green | MERGEABLE | BLOCKED | awaiting required review |
Convergence
4 outer iterations; 2 Copilot rounds; zero inline Copilot findings. Final panel recommendation: ship_now.
Ready for maintainer review.
Full per-persona findings
All terminal persona finding arrays are empty. Conditional performance review was inactive because the PR changes no runtime performance surface.
This panel is advisory. Re-apply the panel-review label after addressing feedback to re-run.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Refresh the PR against current main before running the canonical validation gates. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> # Conflicts: # CHANGELOG.md
Keep the hermetic release-to-tap flow as an integration regression so restoring the obsolete dispatch credential fails empirically. This addresses the panel coverage follow-up and the operator mutation-break gate. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Describe the tap-owned poller through the user-visible brew upgrade result, addressing the growth panel polish item without changing release scope. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
APM Review Panel:
|
| Persona | B | R | N | Takeaway |
|---|---|---|---|---|
| Python Architect | 0 | 0 | 1 | Pure CI and docs change; no Python architecture concern. |
| CLI Logging Expert | 0 | 0 | 0 | No CLI output or logging surface changed. |
| DevX UX Expert | 0 | 0 | 0 | No CLI or install-flow ergonomics changed. |
| Supply Chain Security Expert | 0 | 0 | 1 | Removal is sound; retain an automated anti-regression guard. |
| OSS Growth Hacker | 0 | 0 | 1 | Frame the changelog around the user-visible upgrade outcome. |
| Auth Expert | 0 | 0 | 1 | Credential path is removed; clean up the unused repository secret operationally. |
| Doc Writer | 0 | 1 | 0 | Repository docs are accurate, but the PR body and deleted test diverged. |
| Test Coverage Expert | 0 | 1 | 0 | Restore the hermetic Homebrew ownership regression. |
B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.
Top 4 follow-ups
- [Test Coverage Expert] Restore
tests/integration/test_release_homebrew_update.pyand its harness -- the release ownership boundary needs executable coverage. - [Supply Chain Security Expert] Make the restored test fail on
GH_PKG_PATor repository dispatch -- prevention is stronger than prose alone. - [OSS Growth Hacker] Sharpen the changelog around
brew upgrade apmreliability -- the user outcome is clearer than internal plumbing. - [Auth Expert] Delete the unused
GH_PKG_PATrepository secret after landing -- this closes the operational credential lifecycle.
Recommendation
Land after the in-flight test, mutation-break, and changelog folds are present and validation is green. The underlying removal is directionally correct and reduces release credential risk.
Full per-persona findings
Python Architect
- [nit] No design-pattern change is warranted for this workflow deletion.
CLI Logging Expert
No findings.
DevX UX Expert
No findings.
Supply Chain Security Expert
- [nit] Retain an automated guard against restoring package-manager credentials or dispatch.
OSS Growth Hacker
- [nit] State the Homebrew upgrade benefit concretely in
CHANGELOG.md.
Auth Expert
- [nit] Remove the now-unused repository secret after this code lands.
Doc Writer
- [recommended] Restore the test or update the stale PR body test claims.
Test Coverage Expert
- [recommended] The deleted integration regression leaves the ownership invariant enforced only by prose.
Performance Expert -- inactive
No package-manager runtime performance surface changed.
This panel is advisory. It does not block merge. Re-apply the panel-review label after addressing feedback to re-run.
APM Review Panel:
|
| Persona | B | R | N | Takeaway |
|---|---|---|---|---|
| Python Architect | 0 | 0 | 2 | The procedural harness is the simplest correct architecture for this scope. |
| CLI Logging Expert | 0 | 0 | 0 | No CLI output surface changed. |
| DevX UX Expert | 0 | 0 | 0 | No command or install-flow ergonomics changed. |
| Supply Chain Security Expert | 0 | 0 | 0 | PAT and dispatch removal plus the structural guard improve the boundary. |
| OSS Growth Hacker | 0 | 0 | 0 | The changelog now states the brew upgrade apm outcome. |
| Auth Expert | 0 | 0 | 1 | The global forbidden tuple already catches the hypothesized renamed-job path. |
| Doc Writer | 0 | 0 | 0 | Repository docs and PR evidence agree with the final head. |
| Test Coverage Expert | 0 | 0 | 0 | The release-to-tap ownership regression is restored and mutation-proven. |
B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.
Recommendation
Ready for maintainer review. The regression is executable, the latest GitHub checks are green, and no in-scope follow-up remains.
Folded in this run
- (panel) Restored the hermetic release-to-Homebrew ownership regression -- resolved in
7a7f37984. - (panel) Added a global automated guard against
GH_PKG_PAT, repository dispatch, PR auth, and package-manager workflow tokens -- resolved in7a7f37984. - (panel) Reconciled the PR body test evidence by retaining the claimed integration files -- resolved in
7a7f37984. - (panel) Reframed the changelog around the user-visible
brew upgrade apmoutcome -- resolved in59f16c96e.
Copilot signals reviewed
Copilot posted no inline findings in either fetch round.
Regression-trap evidence (mutation-break gate)
tests/integration/test_release_homebrew_update.py::test_homebrew_update_commits_without_cross_repo_auth-- restored origin/main's obsoleteupdate-homebrewworkflow; test failed withRuntimeErrornamingGH_PKG_PAT,repository-dispatch, andworkflow token; workflow deletion restored and test passed.
Validation
- Targeted Homebrew integration regression:
1 passed. - Full
bash scripts/test-integration.sh: executed all integration tests;10205 passed, 172 skipped, 16 deselected, 2 xfailed; one pre-existing main failure remained intest_intra_package_cleanupafter fix(skills): key ownership tracking on owner/repo, not the leaf directory name #2052 intentionally changed shared-file ownership to one true owner. - Canonical lint: ruff check and format, YAML I/O, 2100-line, portable-relative-path, pylint R0801, and auth-signal guards all passed.
uv run apm audit --ci: all 9 checks passed.
CI
All checks on CI run 29099280368 passed; no CI recovery iteration was required.
Mergeability status
| PR | head SHA | CEO stance | iters | folds | defers | Copilot rounds | CI | mergeable | mergeStateStatus | notes |
|---|---|---|---|---|---|---|---|---|---|---|
| #2088 | 59f16c9 |
ship_now | 1 | 4 | 0 | 2 | green | MERGEABLE | BLOCKED | pending maintainer review |
Convergence
1 outer iteration; 2 Copilot rounds. Final panel stance: ship_now.
Full per-persona findings
Python Architect
The optional __all__ and shared-helper nits would over-abstract a standalone, one-purpose integration harness; no action recommended.
CLI Logging Expert
No PR-scope findings.
DevX UX Expert
No PR-scope findings.
Supply Chain Security Expert
No findings.
OSS Growth Hacker
No findings.
Auth Expert
The renamed-job hypothetical is already covered because GH_PKG_PAT and repository dispatch are rejected across every workflow job.
Doc Writer
No findings.
Test Coverage Expert
No findings.
Performance Expert -- inactive
Release workflow, documentation, and test-only change; no package-manager runtime performance surface.
This panel is advisory. It does not block merge. Re-apply the panel-review label after addressing feedback to re-run.
remove(release): retire obsolete Homebrew dispatch credential
TL;DR
Remove the failing PAT-backed
update-homebrewrelease job now thatmicrosoft/homebrew-apmowns formula updates through a daily poller. This eliminates both observed authentication failures without introducing another cross-repository secret or weakening enterprise token policy. Release documentation now records the pull-based ownership model.Important
Closes #2061. The replacement poller is already merged and has completed successfully in
microsoft/homebrew-apm.Problem (WHY)
GH_PKG_PATfor exceeding its eight-day fine-grained PAT lifetime policy (failed job).gh pr createfailed with HTTP 401 (failed job).poll-upstream-release.yml(microsoft/homebrew-apm#52).Issue #2061 records the user impact: the Homebrew formula stopped tracking APM releases. The secure boundary is now repository-local: the public tap reads the public APM release and writes only to itself.
Approach (WHAT)
update-homebrewjob, including checksum downloads and PAT-backedrepository_dispatch.update-scoopplaceholder so no dormant cross-repository PAT dispatch remains.GITHUB_TOKEN.Implementation (HOW)
.github/workflows/build-release.ymlGH_PKG_PATand repository dispatch from the workflow..github/instructions/cicd.instructions.md.apm/instructions/cicd.instructions.mddocs/src/content/docs/contributing/integration-testing.mdapm.lock.yamlapm audit --ciremains green.tests/integration/test_release_homebrew_update.pyCHANGELOG.mdThe changelog records the release-reliability improvement because Homebrew users observe formula freshness even though the CLI contract is unchanged.
Diagram
Legend: APM publishes release assets; the tap now pulls them and writes its formula entirely within its own repository boundary.
sequenceDiagram participant A as microsoft/apm release participant P as tap poller participant G as GitHub API participant T as microsoft/homebrew-apm A->>G: publish stable release and checksums P->>G: read latest public release G-->>P: version and checksum assets P->>T: commit formula with repository GITHUB_TOKEN Note over A,T: No cross-repository PAT or dispatchTrade-offs
ghstub, proving the ownership boundary without network access or real credentials.Benefits
Validation
actionlint -ignore 'SC2086' .github/workflows/build-release.ymlplusuv run --extra dev pytest -q tests/integration/test_release_homebrew_update.py:uv run apm audit --ci:Canonical lint mirror:
Replacement operational evidence:
Scenario Evidence
poll-upstream-release.ymlrun 29046583598actionlintand the integration harness aboveHow to test
actionlint -ignore 'SC2086' .github/workflows/build-release.yml; expect no diagnostics beyond the intentionally ignored pre-existing ShellCheck rule.uv run --extra dev pytest -q tests/integration/test_release_homebrew_update.py; expect one pass and a local formula commit withoutgh,GH_PKG_PAT, dispatch, or PR auth.microsoft/homebrew-apmpoller run; expect conclusionsuccesswith no cross-repository PAT.Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com