Conversation
📝 WalkthroughWalkthroughThe changes configure the release pipeline to generate shell completion scripts during the build process, package them with the application archives, and distribute the application via Homebrew casks with macOS-specific post-installation handling. A Homebrew token is added to the CI workflow for authentication. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.goreleaser.yaml (1)
7-11: Keep release hooks read-only; removego mod tidyfrom publish path.At Line 7,
go mod tidycan mutate module files during release, which makes artifacts less reproducible from the tag. Prefer enforcing tidy in lint/CI, not in publish hooks.Proposed change
before: hooks: - - go mod tidy - mkdir -p completions - sh -c "go run . completion bash > completions/lstk.bash" - sh -c "go run . completion zsh > completions/lstk.zsh" - sh -c "go run . completion fish > completions/lstk.fish"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.goreleaser.yaml around lines 7 - 11, Remove the mutating "go mod tidy" command from the publish hooks in .goreleaser.yaml so release hooks remain read-only; locate the entry containing the line 'go mod tidy' in the publish/hooks (the commands that include 'sh -c "go run . completion ..."' and delete that single 'go mod tidy' command, keeping the completion generation steps intact, and instead ensure tidiness is enforced in CI/lint pipelines rather than in the publish hook..github/workflows/ci.yml (1)
160-160: Use a dedicated tap token secret instead ofPRO_ACCESS_TOKEN.At Line 160, consider switching to a purpose-scoped secret (least privilege) for Homebrew tap publishing.
Proposed change
- HOMEBREW_TAP_TOKEN: ${{ secrets.PRO_ACCESS_TOKEN }} + HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yml at line 160, Replace the broad PRO_ACCESS_TOKEN secret with a purpose-scoped Homebrew tap secret: change the environment entry HOMEBREW_TAP_TOKEN: ${{ secrets.PRO_ACCESS_TOKEN }} to HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} and create the new repository secret named HOMEBREW_TAP_TOKEN in the repo/organization secrets (or update actions secrets) with the minimum-scoped token used for Homebrew tap publishing; ensure any workflows or docs referencing PRO_ACCESS_TOKEN for tap publishing are updated to reference HOMEBREW_TAP_TOKEN instead.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 160: Replace the broad PRO_ACCESS_TOKEN secret with a purpose-scoped
Homebrew tap secret: change the environment entry HOMEBREW_TAP_TOKEN: ${{
secrets.PRO_ACCESS_TOKEN }} to HOMEBREW_TAP_TOKEN: ${{
secrets.HOMEBREW_TAP_TOKEN }} and create the new repository secret named
HOMEBREW_TAP_TOKEN in the repo/organization secrets (or update actions secrets)
with the minimum-scoped token used for Homebrew tap publishing; ensure any
workflows or docs referencing PRO_ACCESS_TOKEN for tap publishing are updated to
reference HOMEBREW_TAP_TOKEN instead.
In @.goreleaser.yaml:
- Around line 7-11: Remove the mutating "go mod tidy" command from the publish
hooks in .goreleaser.yaml so release hooks remain read-only; locate the entry
containing the line 'go mod tidy' in the publish/hooks (the commands that
include 'sh -c "go run . completion ..."' and delete that single 'go mod tidy'
command, keeping the completion generation steps intact, and instead ensure
tidiness is enforced in CI/lint pipelines rather than in the publish hook.
carole-lavillonniere
approved these changes
Mar 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds automatic Homebrew cask publishing to
localstack/homebrew-tapvia GoReleaser. This is the first step toward Homebrew distribution. Once this works, we can submit to homebrew-core forbrew install lstkwithout the tap.Changes
homebrew_casksconfig to.goreleaser.yamlHOMEBREW_TAP_TOKENto release jobAfter merge
localstack/homebrew-tap/Casks/lstk.rbbrew tap localstack/tap && brew install --cask lstkValidation
goreleaser checkpassesPRO_ACCESS_TOKENalready has write access to homebrew-tap (used by localstack-cli)