Skip to content

ci(release): remove obsolete Homebrew dispatch credential#2088

Merged
danielmeppiel merged 14 commits into
mainfrom
remove-homebrew-dispatch-job
Jul 10, 2026
Merged

ci(release): remove obsolete Homebrew dispatch credential#2088
danielmeppiel merged 14 commits into
mainfrom
remove-homebrew-dispatch-job

Conversation

@danielmeppiel

@danielmeppiel danielmeppiel commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

remove(release): retire obsolete Homebrew dispatch credential

TL;DR

Remove the failing PAT-backed update-homebrew release job now that microsoft/homebrew-apm owns formula updates through a daily poller. This eliminates both observed authentication failures without introducing another cross-repository secret or weakening enterprise token policy. Release documentation now records the pull-based ownership model.

Important

Closes #2061. The replacement poller is already merged and has completed successfully in microsoft/homebrew-apm.

Problem (WHY)

  • The v0.24.0 release dispatch failed because the enterprise rejected GH_PKG_PAT for exceeding its eight-day fine-grained PAT lifetime policy (failed job).
  • Before that policy rejection, the downstream workflow pushed formula branches but gh pr create failed with HTTP 401 (failed job).
  • [!] Keeping the sender would preserve a dead credential path after the tap replaced its listener with poll-upstream-release.yml (microsoft/homebrew-apm#52).

Issue #2061 records the user impact: the Homebrew formula stopped tracking APM releases. The secure boundary is now repository-local: the public tap reads the public APM release and writes only to itself.

Approach (WHAT)

# Fix
1 Delete the leaf update-homebrew job, including checksum downloads and PAT-backed repository_dispatch.
2 Delete the permanently disabled update-scoop placeholder so no dormant cross-repository PAT dispatch remains.
3 Keep release production and package publication unchanged.
4 Document that the tap polls public releases and writes with its repository-scoped GITHUB_TOKEN.
5 Add a hermetic integration harness that commits a formula locally and rejects restored Homebrew workflow auth.

Implementation (HOW)

File Change
.github/workflows/build-release.yml Removes the obsolete Homebrew job and the permanently disabled Scoop placeholder, eliminating GH_PKG_PAT and repository dispatch from the workflow.
.github/instructions/cicd.instructions.md Updates the canonical workflow architecture and forbids restoring a cross-repository tap credential.
.apm/instructions/cicd.instructions.md Keeps the generated APM instruction mirror aligned with the canonical workflow guidance.
docs/src/content/docs/contributing/integration-testing.md Removes the stale release-stage claim and explains the independent tap poller.
apm.lock.yaml Refreshes the managed CI/CD instruction hash so apm audit --ci remains green.
tests/integration/test_release_homebrew_update.py Executes a hermetic tap update and guards against restoring Homebrew workflow credentials, dispatch, or PR auth.
CHANGELOG.md Records the Homebrew release-reliability improvement.

The changelog records the release-reliability improvement because Homebrew users observe formula freshness even though the CLI contract is unchanged.

Diagram

Legend: APM publishes release assets; the tap now pulls them and writes its formula entirely within its own repository boundary.

sequenceDiagram
    participant A as microsoft/apm release
    participant P as tap poller
    participant G as GitHub API
    participant T as microsoft/homebrew-apm

    A->>G: publish stable release and checksums
    P->>G: read latest public release
    G-->>P: version and checksum assets
    P->>T: commit formula with repository GITHUB_TOKEN
    Note over A,T: No cross-repository PAT or dispatch
Loading

Trade-offs

  • Pull instead of push. The tap can lag until its daily schedule runs; the rejected alternative keeps an expiring PAT or introduces a GitHub App solely to trigger work the tap can initiate itself.
  • Direct tap commit instead of PR creation. The repository-local token cannot create PRs under the organization setting, while the poller renders upstream-published checksums and writes only the formula.
  • Hermetic model instead of a live downstream call. The integration harness executes a local formula commit and installs a failing gh stub, proving the ownership boundary without network access or real credentials.

Benefits

  1. Zero active Homebrew credentials remain in the APM release path.
  2. Zero cross-repository dispatch calls are made for Homebrew releases.
  3. The replacement poller has a successful workflow run using only its built-in token.
  4. All three release-architecture references describe the same ownership model.

Validation

actionlint -ignore 'SC2086' .github/workflows/build-release.yml plus uv run --extra dev pytest -q tests/integration/test_release_homebrew_update.py:

1 passed

uv run apm audit --ci:

[*] All 9 check(s) passed

Canonical lint mirror:

All checks passed!
1410 files already formatted

--------------------------------------------------------------------
Your code has been rated at 10.00/10 (previous run: 10.00/10, +0.00)

[*] Rule A: get_bearer_provider boundary (any reference)
[*] Rule B: git ls-remote auth-delegated annotation
[+] auth-signal lint clean
CI grep guards passed

Replacement operational evidence:

Poll upstream release run 29046583598: success
https://github.com/microsoft/homebrew-apm/actions/runs/29046583598

Scenario Evidence

# Scenario (user promise) Principle Evidence Type
1 Homebrew updates do not fail on enterprise PAT lifetime policy. Secure by default Hermetic integration harness commits a formula with no token and fails if Homebrew workflow auth, dispatch, or PR creation returns integration-with-fixtures
2 The tap can discover the current APM release without a cross-repository secret. Vendor-neutral Successful poll-upstream-release.yml run 29046583598 end-to-end
3 Release workflow syntax remains valid after deleting the obsolete jobs. DevX actionlint and the integration harness above static + integration-with-fixtures

How to test

  • Run actionlint -ignore 'SC2086' .github/workflows/build-release.yml; expect no diagnostics beyond the intentionally ignored pre-existing ShellCheck rule.
  • Run uv run --extra dev pytest -q tests/integration/test_release_homebrew_update.py; expect one pass and a local formula commit without gh, GH_PKG_PAT, dispatch, or PR auth.
  • Inspect the latest microsoft/homebrew-apm poller run; expect conclusion success with no cross-repository PAT.
  • Run the canonical lint mirror; expect ruff, formatting, duplication, auth-boundary, and grep guards to pass.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

The update-homebrew job sent a repository_dispatch to microsoft/homebrew-apm
using a fine-grained PAT (GH_PKG_PAT). That token hit the enterprise policy
forbidding PAT lifetimes > 8 days and deterministically broke the Homebrew
step every release.

The tap now self-updates via its own poll-upstream-release.yml: a daily job
that reads the latest microsoft/apm release with the tap's built-in
GITHUB_TOKEN and commits the formula bump directly -- no cross-repo trigger,
no PAT, nothing to rotate. This removes the sender job entirely, retiring the
push model.

Note: GH_PKG_PAT remains referenced only by the update-scoop job, which is
disabled (if: false), so the secret is not orphaned by this change.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 9, 2026 20:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes the now-unnecessary Homebrew tap dispatch job from the release workflow, since the microsoft/homebrew-apm tap is now responsible for polling upstream releases and updating itself.

Changes:

  • Deleted the update-homebrew job (checksum download + repository_dispatch to microsoft/homebrew-apm).
  • Kept the existing (disabled) update-scoop job intact; GH_PKG_PAT remains referenced only there.
Show a summary per file
File Description
.github/workflows/build-release.yml Removes the Homebrew update dispatch job from the release pipeline.

Review details

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

Keep the release architecture and contributor guide aligned with the removal of the obsolete cross-repository dispatch. The tap now polls public releases using its repository-scoped GITHUB_TOKEN.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@danielmeppiel danielmeppiel changed the title ci(release): remove Homebrew tap dispatch job (tap now self-updates) ci(release): remove obsolete Homebrew dispatch credential Jul 9, 2026
danielmeppiel and others added 7 commits July 10, 2026 00:17
Record the updated managed CI/CD instruction hash so apm audit --ci verifies the release documentation mirror.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Execute a hermetic tap-update model against local release metadata and fail if the APM release workflow restores a Homebrew credential, repository dispatch, or PR-auth path. This addresses the review panel's empirical coverage and documentation follow-ups.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove the disabled Scoop dispatch that retained the same cross-repository PAT pattern and escape harness assignment keys. This folds the final auth, security, and architecture panel findings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Keep the mirrored release architecture and managed instruction hash aligned after removing the disabled Scoop dispatch job.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Compile the formula assignment matcher explicitly and frame the changelog entry around release reliability, folding the final architecture and growth panel nits.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Narrow the auth-token guard to credential-shaped secrets, link the tap for operators, and describe the Homebrew outcome in user terms. This folds the last architecture and DevX panel findings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Reject GH_PKG_PAT and repository-dispatch anywhere in the release workflow while limiting generic token checks to package-manager jobs. Remove duplicated contributor-guide prose surfaced by the terminal panel.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel

Copy link
Copy Markdown
Collaborator Author

APM Review Panel: ship_now

Retires the cross-repository Homebrew dispatch credential from the release pipeline, replacing it with tap-side polling and a mutation-break regression guard.

cc @danielmeppiel @sergio-sisternes-epam - a fresh advisory pass is ready for your review.

The panel converged after every in-scope finding was folded. The final architecture, CLI, DevX, auth, security, documentation, growth, test, and performance lenses found no unresolved concern. The release workflow now has a smaller credential surface, the ownership boundary is executable in a hermetic integration test, and the user and contributor documentation match the final behavior.

Aligned with: Secure by default: the release pipeline no longer holds GH_PKG_PAT or dispatches to downstream package-manager repositories. Governed by policy: the integration harness fails if the retired credential, dispatch, or PR-auth path returns. OSS community driven: contributors no longer need a cross-repository PAT for Homebrew distribution.

Panel summary

Persona B R N Takeaway
Python Architect 0 0 0 The workflow removal and hermetic harness are appropriately scoped.
CLI Logging Expert 0 0 0 No CLI output or logging surface is changed.
DevX UX Expert 0 0 0 User-facing release wording and contributor guidance are aligned.
Supply Chain Security Expert 0 0 0 The cross-repository PAT and dispatch surface is removed.
OSS Growth Hacker 0 0 0 The changelog frames the change as a Homebrew reliability improvement.
Auth Expert 0 0 0 No GH_PKG_PAT or package-manager repository dispatch remains.
Doc Writer 0 0 0 Docs and PR body match the final implementation.
Test Coverage Expert 0 0 0 The integration proof and mutation-break guard cover the ownership boundary.

B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.

Recommendation

All panel signals are green, the regression harness is committed and passing, and the credential surface is strictly reduced. Ship at maintainer convenience; no follow-ups are required.

Folded in this run

  • (panel) Added a hermetic release-to-tap integration harness and committed regression test - resolved in 7a1d21d57.
  • (panel) Removed stale release-pipeline claims, added a changelog entry, and synchronized release instructions - resolved in 7a1d21d57.
  • (panel) Removed the dormant Scoop PAT dispatch and escaped the formula assignment matcher - resolved in 6cbf7cf42.
  • (panel) Aligned the PR body, user-facing changelog wording, tap link, and credential guard precision - resolved in 5216b5174.
  • (panel) Extended the guard across retired package-manager dispatch paths and removed duplicate docs prose - resolved in 1c6795532.

Regression-trap evidence (mutation-break gate)

  • tests/integration/test_release_homebrew_update.py::test_homebrew_update_commits_without_cross_repo_auth - restored an update-homebrew job using GH_PKG_PAT and peter-evans/repository-dispatch@v3; the test FAILED as expected; workflow restored.

Validation

  • uv run --extra dev pytest -q tests/integration/test_release_homebrew_update.py: 1 passed.
  • actionlint -ignore 'SC2086' .github/workflows/build-release.yml: silent.
  • uv run apm audit --ci: all 9 checks passed.
  • Canonical ruff, formatting, pylint R0801, and auth-signal lint chain: exit 0.

CI

Exact final SHA 1c67955325f49d7dc2b2ba8f937331489e0e991c: all checks passed, including Lint, both Linux test shards, Coverage Combine, CodeQL, Merge Gate, PR Binary Smoke, APM Self-Check, docs build, NOTICE drift, and CLA.

Mergeability status

PR head SHA CEO stance iters folds defers Copilot rounds CI mergeable mergeStateStatus notes
#2088 1c67955 ship_now 4 5 0 2 green MERGEABLE BLOCKED awaiting required review

Convergence

4 outer iterations; 2 Copilot rounds; zero inline Copilot findings. Final panel recommendation: ship_now.

Ready for maintainer review.


Full per-persona findings

All terminal persona finding arrays are empty. Conditional performance review was inactive because the PR changes no runtime performance surface.

This panel is advisory. Re-apply the panel-review label after addressing feedback to re-run.

danielmeppiel and others added 4 commits July 10, 2026 14:45
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Refresh the PR against current main before running the canonical validation gates.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
Keep the hermetic release-to-tap flow as an integration regression so restoring the obsolete dispatch credential fails empirically. This addresses the panel coverage follow-up and the operator mutation-break gate.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Describe the tap-owned poller through the user-visible brew upgrade result, addressing the growth panel polish item without changing release scope.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@danielmeppiel

Copy link
Copy Markdown
Collaborator Author

APM Review Panel: ship_with_followups

Removes the dead Homebrew dispatch credential from the release workflow and narrows the CI credential surface.

cc @danielmeppiel @sergio-sisternes-epam -- a fresh advisory pass is ready for your review.

The panel converged on the direction. The highest-signal gap is that the latest head deleted the hermetic integration regression while the PR body still claimed it. The shepherd is folding that test back in, proving it fails when the obsolete workflow is restored, and sharpening the changelog. The repository-secret cleanup is operational follow-through outside this code diff.

Aligned with: secure by default through removal of an unused PAT path; OSS community driven through a simpler release workflow with fewer secret prerequisites.

Panel summary

Persona B R N Takeaway
Python Architect 0 0 1 Pure CI and docs change; no Python architecture concern.
CLI Logging Expert 0 0 0 No CLI output or logging surface changed.
DevX UX Expert 0 0 0 No CLI or install-flow ergonomics changed.
Supply Chain Security Expert 0 0 1 Removal is sound; retain an automated anti-regression guard.
OSS Growth Hacker 0 0 1 Frame the changelog around the user-visible upgrade outcome.
Auth Expert 0 0 1 Credential path is removed; clean up the unused repository secret operationally.
Doc Writer 0 1 0 Repository docs are accurate, but the PR body and deleted test diverged.
Test Coverage Expert 0 1 0 Restore the hermetic Homebrew ownership regression.

B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.

Top 4 follow-ups

  1. [Test Coverage Expert] Restore tests/integration/test_release_homebrew_update.py and its harness -- the release ownership boundary needs executable coverage.
  2. [Supply Chain Security Expert] Make the restored test fail on GH_PKG_PAT or repository dispatch -- prevention is stronger than prose alone.
  3. [OSS Growth Hacker] Sharpen the changelog around brew upgrade apm reliability -- the user outcome is clearer than internal plumbing.
  4. [Auth Expert] Delete the unused GH_PKG_PAT repository secret after landing -- this closes the operational credential lifecycle.

Recommendation

Land after the in-flight test, mutation-break, and changelog folds are present and validation is green. The underlying removal is directionally correct and reduces release credential risk.


Full per-persona findings

Python Architect

  • [nit] No design-pattern change is warranted for this workflow deletion.

CLI Logging Expert

No findings.

DevX UX Expert

No findings.

Supply Chain Security Expert

  • [nit] Retain an automated guard against restoring package-manager credentials or dispatch.

OSS Growth Hacker

  • [nit] State the Homebrew upgrade benefit concretely in CHANGELOG.md.

Auth Expert

  • [nit] Remove the now-unused repository secret after this code lands.

Doc Writer

  • [recommended] Restore the test or update the stale PR body test claims.

Test Coverage Expert

  • [recommended] The deleted integration regression leaves the ownership invariant enforced only by prose.

Performance Expert -- inactive

No package-manager runtime performance surface changed.

This panel is advisory. It does not block merge. Re-apply the panel-review label after addressing feedback to re-run.

@danielmeppiel

Copy link
Copy Markdown
Collaborator Author

APM Review Panel: ship_now

Removes obsolete package-manager dispatch credentials and keeps the tap-owned Homebrew update boundary executable as a regression test.

cc @danielmeppiel @sergio-sisternes-epam -- a fresh advisory pass is ready for your review.

Every active lens converged on the final diff. The release workflow no longer owns a Homebrew or Scoop cross-repository dispatch, the documentation describes tap-owned polling, and the restored hermetic integration regression proves the ownership boundary. Earlier test, security, documentation, and changelog items are folded. The remaining nit suggestions were either already covered by the global forbidden-token scan or would add abstraction to a one-purpose test harness without improving the contract.

Aligned with: secure by default through removal and executable prevention of cross-repository credentials; OSS community driven through a simpler release workflow with no contributor-managed tap secret.

Panel summary

Persona B R N Takeaway
Python Architect 0 0 2 The procedural harness is the simplest correct architecture for this scope.
CLI Logging Expert 0 0 0 No CLI output surface changed.
DevX UX Expert 0 0 0 No command or install-flow ergonomics changed.
Supply Chain Security Expert 0 0 0 PAT and dispatch removal plus the structural guard improve the boundary.
OSS Growth Hacker 0 0 0 The changelog now states the brew upgrade apm outcome.
Auth Expert 0 0 1 The global forbidden tuple already catches the hypothesized renamed-job path.
Doc Writer 0 0 0 Repository docs and PR evidence agree with the final head.
Test Coverage Expert 0 0 0 The release-to-tap ownership regression is restored and mutation-proven.

B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.

Recommendation

Ready for maintainer review. The regression is executable, the latest GitHub checks are green, and no in-scope follow-up remains.

Folded in this run

  • (panel) Restored the hermetic release-to-Homebrew ownership regression -- resolved in 7a7f37984.
  • (panel) Added a global automated guard against GH_PKG_PAT, repository dispatch, PR auth, and package-manager workflow tokens -- resolved in 7a7f37984.
  • (panel) Reconciled the PR body test evidence by retaining the claimed integration files -- resolved in 7a7f37984.
  • (panel) Reframed the changelog around the user-visible brew upgrade apm outcome -- resolved in 59f16c96e.

Copilot signals reviewed

Copilot posted no inline findings in either fetch round.

Regression-trap evidence (mutation-break gate)

  • tests/integration/test_release_homebrew_update.py::test_homebrew_update_commits_without_cross_repo_auth -- restored origin/main's obsolete update-homebrew workflow; test failed with RuntimeError naming GH_PKG_PAT, repository-dispatch, and workflow token; workflow deletion restored and test passed.

Validation

  • Targeted Homebrew integration regression: 1 passed.
  • Full bash scripts/test-integration.sh: executed all integration tests; 10205 passed, 172 skipped, 16 deselected, 2 xfailed; one pre-existing main failure remained in test_intra_package_cleanup after fix(skills): key ownership tracking on owner/repo, not the leaf directory name #2052 intentionally changed shared-file ownership to one true owner.
  • Canonical lint: ruff check and format, YAML I/O, 2100-line, portable-relative-path, pylint R0801, and auth-signal guards all passed.
  • uv run apm audit --ci: all 9 checks passed.

CI

All checks on CI run 29099280368 passed; no CI recovery iteration was required.

Mergeability status

PR head SHA CEO stance iters folds defers Copilot rounds CI mergeable mergeStateStatus notes
#2088 59f16c9 ship_now 1 4 0 2 green MERGEABLE BLOCKED pending maintainer review

Convergence

1 outer iteration; 2 Copilot rounds. Final panel stance: ship_now.


Full per-persona findings

Python Architect

The optional __all__ and shared-helper nits would over-abstract a standalone, one-purpose integration harness; no action recommended.

CLI Logging Expert

No PR-scope findings.

DevX UX Expert

No PR-scope findings.

Supply Chain Security Expert

No findings.

OSS Growth Hacker

No findings.

Auth Expert

The renamed-job hypothetical is already covered because GH_PKG_PAT and repository dispatch are rejected across every workflow job.

Doc Writer

No findings.

Test Coverage Expert

No findings.

Performance Expert -- inactive

Release workflow, documentation, and test-only change; no package-manager runtime performance surface.

This panel is advisory. It does not block merge. Re-apply the panel-review label after addressing feedback to re-run.

@danielmeppiel danielmeppiel merged commit 3a5621c into main Jul 10, 2026
10 checks passed
@danielmeppiel danielmeppiel deleted the remove-homebrew-dispatch-job branch July 10, 2026 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Homebrew formula auto-update has been failing since v0.17.0 (currently stuck at v0.23.1)

2 participants