release: preflight tap token push access and retry push auth

2026-03-19 04:12:56 -04:00 · 2026-03-02 18:24:56 -05:00
parent af9dcc8d15
commit 33c45a66af
2 changed files with 26 additions and 2 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,10 +62,20 @@ jobs:
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_REPO: ${{ vars.HOMEBREW_TAP_REPO }}
+          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
        run: |
          set -euo pipefail
          [[ -n "${HOMEBREW_TAP_REPO:-}" ]] || { echo "missing required variable: HOMEBREW_TAP_REPO" >&2; exit 1; }
          gh repo view "${HOMEBREW_TAP_REPO}" >/dev/null
+          # Validate that the release push token can write to the tap repo.
+          tap_push_permission="$(
+            GH_TOKEN="${HOMEBREW_TAP_TOKEN}" \
+              gh api "repos/${HOMEBREW_TAP_REPO}" --jq '.permissions.push // false'
+          )"
+          if [[ "${tap_push_permission}" != "true" ]]; then
+            echo "HOMEBREW_TAP_TOKEN does not have push access to ${HOMEBREW_TAP_REPO}" >&2
+            exit 1
+          fi

      - name: Require successful CI checks on tagged commit
        working-directory: ${{ github.workspace }}