release: preflight tap token via git remote auth

2026-03-19 12:12:57 -04:00 · 2026-03-02 18:47:10 -05:00
parent 33c45a66af
commit 6dab2259de
1 changed files with 12 additions and 8 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -67,15 +67,19 @@ jobs:
          set -euo pipefail
          [[ -n "${HOMEBREW_TAP_REPO:-}" ]] || { echo "missing required variable: HOMEBREW_TAP_REPO" >&2; exit 1; }
          gh repo view "${HOMEBREW_TAP_REPO}" >/dev/null
-          # Validate that the release push token can write to the tap repo.
-          tap_push_permission="$(
-            GH_TOKEN="${HOMEBREW_TAP_TOKEN}" \
-              gh api "repos/${HOMEBREW_TAP_REPO}" --jq '.permissions.push // false'
-          )"
-          if [[ "${tap_push_permission}" != "true" ]]; then
-            echo "HOMEBREW_TAP_TOKEN does not have push access to ${HOMEBREW_TAP_REPO}" >&2
-            exit 1
+          # Validate token auth against the exact git remote path used for tap sync.
+          tap_token="$(printf '%s' "${HOMEBREW_TAP_TOKEN}" | tr -d '\r\n')"
+          tap_owner="${HOMEBREW_TAP_REPO%%/*}"
+          tap_url_primary="https://${tap_owner}:${tap_token}@github.com/${HOMEBREW_TAP_REPO}.git"
+          tap_url_fallback="https://x-access-token:${tap_token}@github.com/${HOMEBREW_TAP_REPO}.git"
+          if git ls-remote --heads "${tap_url_primary}" >/dev/null 2>&1; then
+            exit 0
          fi
+          if git ls-remote --heads "${tap_url_fallback}" >/dev/null 2>&1; then
+            exit 0
+          fi
+          echo "HOMEBREW_TAP_TOKEN cannot access ${HOMEBREW_TAP_REPO} via git over HTTPS" >&2
+          exit 1

      - name: Require successful CI checks on tagged commit
        working-directory: ${{ github.workspace }}