Replace Homebrew bump action with direct formula update

[helizaga]

The homebrew workflow failed on the v2.8.0 release with unexpected HTTP 303 response. GitHub started returning 303 redirects on tarball URLs and bump-homebrew-formula-action rejects them (mislav/bump-homebrew-formula-action#340, fix unmerged, latest release predates it). The v2.8.0 formula had to be bumped by hand.

This drops the action and does the bump directly in a script step: download the release tarball, sha256 it, update url + sha256 in the tap formula via the contents API with the existing HOMEBREW_TAP_TOKEN. Same commit message format the action used. Skips cleanly if the formula is already at the tag, so reruns are safe. No third-party action left in the workflow.

Also adds workflow_dispatch with a tag-name input so a failed bump can be rerun manually instead of editing the tap by hand.

Tested every path:

• container dry-runs of the exact script: v2.7.3 output is byte-identical to the real v2.7.3 tap commit; bad tag and unexpected formula format both exit non-zero
• live dispatches from this branch with the real secret: v2.8.0 hits the already-current guard, v9.9.9 fails the run on curl 404, and a v2.7.3 → v2.8.0 round trip wrote real commits to the tap (f177412, 04e2f45) that diff clean against the historical 2.7.3 and current 2.8.0 formulas
• brew fetch coderabbitai/tap/git-gtr checks out after the round trip
• actionlint clean

[coderabbitai]

Walkthrough

Adds a manual workflow_dispatch input (tag-name) and replaces the external Homebrew bump action with an inline shell script that computes the release tarball URL and SHA-256, fetches and decodes Formula/git-gtr.rb, conditionally updates url and sha256, and commits the change to the tap via the GitHub contents API.

Changes

Homebrew Formula Update Automation

Layer / File(s)	Summary
Add manual trigger input .github/workflows/homebrew.yml	Adds workflow_dispatch with a required tag-name input used to select which release/tag to bump the formula to.
Inline Homebrew formula update script .github/workflows/homebrew.yml	Replaces mislav/bump-homebrew-formula-action with an inline bash script that builds the tarball URL, downloads and hashes the tarball, retrieves and base64-decodes Formula/git-gtr.rb from the tap using HOMEBREW_TAP_TOKEN, exits if the formula already references the tarball URL, otherwise updates url and sha256, re-encodes the file, and commits it back via a GitHub contents API PUT.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I hopped through YAML, tag in paw,
Replaced an action with my own shell law,
I fetch the tar, I hash, I peep,
Update the tap if changes creep,
Commit a carrot-coded draw. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: replacing a third-party Homebrew action with an inline script for direct formula updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-homebrew-bump-303

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/homebrew.yml:
- Around line 20-26: TAG_NAME is inserted directly into url and later used in
sed substitutions; validate or escape it before use. Add a validation step for
TAG_NAME (e.g., require a safe pattern like an optional leading "v" followed by
alphanumerics, ., _, -) and exit with an error if it doesn't match;
alternatively, escape sed metacharacters in TAG_NAME (and derived version/url)
before any sed command by replacing characters like | / & \ with escaped
versions so the sed substitution won't break. Ensure these checks/escapes are
applied to the TAG_NAME -> version/url flow and before the sed commands that
reference those variables.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 27bc6891-6ee9-48ce-94e6-653e329bd3e6

📥 Commits

Reviewing files that changed from the base of the PR and between 8580233 and 9009031.

📒 Files selected for processing (1)

• .github/workflows/homebrew.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate or escape TAG_NAME before use in sed patterns.

TAG_NAME originates from github.event.release.tag_name and is embedded directly into the url variable, which is later used unescaped in sed substitution patterns (lines 40-41). Git tags can contain characters like | (the sed delimiter), & (replacement metacharacter), or backslashes that could break the sed command or cause unintended substitutions.

While the curl download will likely fail for malformed URLs (providing implicit validation), consider adding explicit validation:

Proposed fix: validate tag format

          set -euo pipefail

+         # Validate tag format (vX.Y.Z)
+         if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+           echo "Invalid tag format: $TAG_NAME" >&2
+           exit 1
+         fi
+
          version="${TAG_NAME#v}"
          url="https://github.com/coderabbitai/git-worktree-runner/archive/refs/tags/${TAG_NAME}.tar.gz"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	GH_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
	TAG_NAME: ${{ github.event.release.tag_name }}
	run: |
	set -euo pipefail
	version="${TAG_NAME#v}"
	url="https://github.com/coderabbitai/git-worktree-runner/archive/refs/tags/${TAG_NAME}.tar.gz"
	GH_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
	TAG_NAME: ${{ github.event.release.tag_name }}
	run: |
	set -euo pipefail
	# Validate tag format (vX.Y.Z)
	if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	echo "Invalid tag format: $TAG_NAME" >&2
	exit 1
	fi
	version="${TAG_NAME#v}"
	url="https://github.com/coderabbitai/git-worktree-runner/archive/refs/tags/${TAG_NAME}.tar.gz"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/homebrew.yml around lines 20 - 26, TAG_NAME is inserted
directly into url and later used in sed substitutions; validate or escape it
before use. Add a validation step for TAG_NAME (e.g., require a safe pattern
like an optional leading "v" followed by alphanumerics, ., _, -) and exit with
an error if it doesn't match; alternatively, escape sed metacharacters in
TAG_NAME (and derived version/url) before any sed command by replacing
characters like | / & \ with escaped versions so the sed substitution won't
break. Ensure these checks/escapes are applied to the TAG_NAME -> version/url
flow and before the sed commands that reference those variables.