From 8f4909939c2cb2219e2da277cfbf9b2b02781853 Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Fri, 5 Jun 2026 22:28:25 -0700
Subject: [PATCH] release: open a homebrew-tap PR instead of direct-pushing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

homebrew-tap's main is branch-protected (requires a PR), so goreleaser's default
direct push is rejected even with a valid token — which is why the v1.0.0 and
v2.0.0 release runs failed the brew step (I published v2.0.0's formula by hand via
a PR). Enable brews.repository.pull_request so the release opens a formula PR that
satisfies the protection. Pairs with restoring the HOMEBREW_TAP_GITHUB_TOKEN's
write access to the tap (owner). goreleaser check passes.
---
 .goreleaser.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 1295575..ddab7db 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -48,6 +48,10 @@ brews:
       owner: nanohype
       name: homebrew-tap
       token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+      # homebrew-tap's main is branch-protected (requires a PR), so a direct push
+      # is rejected even with a valid token. Open a formula PR instead.
+      pull_request:
+        enabled: true
     directory: Formula
     homepage: "https://github.com/nanohype/cloudgov"
     description: "AWS governance CLI — IAM least-privilege, cost anomalies, posture, drift, compliance, and resource hygiene across AWS, plus a Kubernetes RBAC scanner"