From 33c45a66afad42dd99454c447f94758f2575ea2e Mon Sep 17 00:00:00 2001
From: bybrooklyn <brooklyn.halmstad@proton.me>
Date: Mon, 2 Mar 2026 18:24:56 -0500
Subject: [PATCH] release: preflight tap token push access and retry push auth

---
 .github/workflows/release.yml  | 10 ++++++++++
 packaging/homebrew/sync_tap.sh | 18 ++++++++++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bffd287..11ab46f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,10 +62,20 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_REPO: ${{ vars.HOMEBREW_TAP_REPO }}
+          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
         run: |
           set -euo pipefail
           [[ -n "${HOMEBREW_TAP_REPO:-}" ]] || { echo "missing required variable: HOMEBREW_TAP_REPO" >&2; exit 1; }
           gh repo view "${HOMEBREW_TAP_REPO}" >/dev/null
+          # Validate that the release push token can write to the tap repo.
+          tap_push_permission="$(
+            GH_TOKEN="${HOMEBREW_TAP_TOKEN}" \
+              gh api "repos/${HOMEBREW_TAP_REPO}" --jq '.permissions.push // false'
+          )"
+          if [[ "${tap_push_permission}" != "true" ]]; then
+            echo "HOMEBREW_TAP_TOKEN does not have push access to ${HOMEBREW_TAP_REPO}" >&2
+            exit 1
+          fi
 
       - name: Require successful CI checks on tagged commit
         working-directory: ${{ github.workspace }}
diff --git a/packaging/homebrew/sync_tap.sh b/packaging/homebrew/sync_tap.sh
index 6780faa..734d510 100755
--- a/packaging/homebrew/sync_tap.sh
+++ b/packaging/homebrew/sync_tap.sh
@@ -55,5 +55,19 @@ git commit -m "Update openbitdo formula" || {
   echo "no formula changes to push"
   exit 0
 }
-git remote set-url origin "https://${TAP_USER}:${HOMEBREW_TAP_TOKEN}@github.com/${TAP_REPO}.git"
-git push
+
+push_with_user() {
+  local user="$1"
+  git remote set-url origin "https://${user}:${HOMEBREW_TAP_TOKEN}@github.com/${TAP_REPO}.git"
+  git push
+}
+
+if ! push_with_user "$TAP_USER"; then
+  # Some token types require x-access-token as the username for writes.
+  if [[ "$TAP_USER" != "x-access-token" ]]; then
+    push_with_user "x-access-token"
+  else
+    echo "failed to push formula updates to ${TAP_REPO}" >&2
+    exit 1
+  fi
+fi