Skip to content

fix(ci): update sigstore action from @v3 to @v3.3.0 #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
docdyhr merged 2 commits into from
Apr 1, 2026
Merged

fix(ci): update sigstore action from @v3 to @v3.3.0 #127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
965d76e
fix(ci): register local tap before brew install in Homebrew formula test
docdyhr Apr 1, 2026
94e2c09
fix(ci): update sigstore action from @v3 to @v3.3.0
docdyhr Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions .github/workflows/release-homebrew.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,11 +74,13 @@ jobs:

- name: Test formula installation
run: |
cd homebrew-tap
brew install --build-from-source "./${FORMULA_PATH}"
# Register the local clone as a tap before installing β€”
# Homebrew rejects formulae that aren't referenced via a tap.
brew tap docdyhr/homebrew-tap "$(pwd)/homebrew-tap"
brew install --build-from-source docdyhr/homebrew-tap/macversiontracker
Comment on lines +79 to +80
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Test modified formula file directly before pushing

In .github/workflows/release-homebrew.yml, this step now runs brew tap ... "$(pwd)/homebrew-tap" and then installs from the tap before the formula update is committed. brew tap <user>/<repo> <URL> clones the repo at that URL, so the tapped copy does not include the uncommitted edits made in the previous awk update step. As a result, the install test can succeed against the old committed formula while the newly generated Formula/macversiontracker.rb (new version/SHA) is never validated and may be pushed broken.

Useful? React with πŸ‘Β / πŸ‘Ž.

versiontracker --help
versiontracker --version
brew uninstall macversiontracker || true
brew uninstall docdyhr/homebrew-tap/macversiontracker || true

- name: Push updated formula to tap
env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ jobs:
path: dist/

- name: Sign distributions with Sigstore
uses: sigstore/gh-action-sigstore-python@v3
uses: sigstore/gh-action-sigstore-python@v3.3.0
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Consider pinning the Sigstore action to a commit SHA for stronger supply-chain guarantees.

Pinning to v3.3.0 is an improvement over a moving v3 tag, but tags can be retargeted. For signing steps, prefer pinning to a specific commit SHA (optionally with a comment noting the tag) so the workflow always runs the exact same code.

Suggested implementation:

      - name: Sign distributions with Sigstore
        # v3.3.0
        uses: sigstore/gh-action-sigstore-python@<COMMIT-SHA-FOR-v3.3.0>
        with:
          inputs: >-
            ./dist/*.tar.gz

Replace <COMMIT-SHA-FOR-v3.3.0> with the actual commit SHA corresponding to the v3.3.0 tag of sigstore/gh-action-sigstore-python. You can obtain this SHA by:

  1. Visiting the GitHub repo sigstore/gh-action-sigstore-python.
  2. Checking the v3.3.0 release/tag and copying its commit SHA.
  3. Pasting that SHA in place of the placeholder.

with:
inputs: >-
./dist/*.tar.gz
Expand Down
Loading