fix: handle npm registry URLs in update-tap SHA256 calculation

[Yan Xue (yanxue06)]

Summary

• The get_sha256() function in update-tap only handles GitHub release URLs and gitgate URLs
• When updating an npm formula, the URL is an npm registry URL (e.g., https://registry.npmjs.org/foo/-/foo-1.0.0.tgz)
• This URL was incorrectly parsed as a GitHub URL, producing garbage values for repo, tag, and asset, causing gh release download to fail
• Added handling for npm registry URLs using curl to download the tarball directly

What changed

update-tap/action.yaml: Added npm registry URL detection in get_sha256() that uses curl instead of gh release download

Test plan

• Trigger a tap update for an npm-type formula and verify the SHA256 is correctly computed
• Verify GitHub release and gitgate URL paths still work correctly

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated the automated package update workflow to improve handling and verification of npm registry packages.

[coderabbitai]

📝 Walkthrough

Walkthrough

A GitHub Actions workflow file is updated to add special-case handling in a SHA-256 computation helper function. When processing npm registry URLs, the function now downloads tarballs directly via curl and computes their hashes before continuing with the original logic for other repository types.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Enhancement .github/blocks/update-tap/action.yaml	Added conditional logic to get_sha256() bash helper to handle registry.npmjs.org URLs separately, downloading tarballs directly via curl and computing SHA-256 before applying original repository/tag/asset resolution flow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A hop through npm's registry so green,
Special paths for the files we've seen,
SHA-256 sums computed with care,
Tarball downloads floating through air,
Logic branching—a rabbit's delight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: fixing SHA256 calculation for npm registry URLs in the update-tap action, which is the core purpose of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/update-tap-npm-sha256

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/blocks/update-tap/action.yaml (1)

82-89: Implementation looks correct for npm registry URLs.

The logic properly detects npm URLs, downloads the tarball directly via curl, computes the SHA256, and returns early. The curl flags (-sSfL) are appropriate.

One consideration: if curl fails (e.g., 404 or network error), the function will return an empty SHA256, which would then be written to the formula. This is consistent with the existing behavior for gh release download failures, but you may want to add error checking in a follow-up.

🛡️ Optional: Add error handling for download failures

          if echo "$url" | grep -q "registry.npmjs.org"; then
            # NPM registry URL: download tarball directly
            local filename=$(basename "$url")
-           curl -sSfL "$url" -o "$tmpdir/$filename"
+           if ! curl -sSfL "$url" -o "$tmpdir/$filename"; then
+             echo "::error::Failed to download $url"
+             rm -rf "$tmpdir"
+             return 1
+           fi
            shasum -a 256 "$tmpdir/$filename" | cut -d' ' -f1
            rm -rf "$tmpdir"
            return
          fi

This would require the caller to check the return value, which would be a larger refactor to apply consistently to all download paths.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/blocks/update-tap/action.yaml around lines 82 - 89, The npm-registry
branch detects registry.npmjs.org and downloads the tarball with curl but
doesn't handle curl failure, which lets an empty SHA256 be returned; after the
curl call (curl -sSfL "$url" -o "$tmpdir/$filename") check its exit status and,
on failure, emit an error/log and exit/return non-zero (or otherwise abort the
function) instead of proceeding to shasum and returning an empty value; ensure
the same branch cleans up $tmpdir on error and does not write a blank checksum.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/blocks/update-tap/action.yaml:
- Around line 82-89: The npm-registry branch detects registry.npmjs.org and
downloads the tarball with curl but doesn't handle curl failure, which lets an
empty SHA256 be returned; after the curl call (curl -sSfL "$url" -o
"$tmpdir/$filename") check its exit status and, on failure, emit an error/log
and exit/return non-zero (or otherwise abort the function) instead of proceeding
to shasum and returning an empty value; ensure the same branch cleans up $tmpdir
on error and does not write a blank checksum.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 443b6f39-0a92-484e-adb2-dd0835f13c5b

📥 Commits

Reviewing files that changed from the base of the PR and between 44602bd and 588091e.

📒 Files selected for processing (1)

• .github/blocks/update-tap/action.yaml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Agent

[Copilot]

Pull request overview

This PR updates the update-tap composite action to correctly compute SHA256 for Homebrew formulas whose source URLs point at the npm registry, avoiding incorrect GitHub URL parsing.

Changes:

• Detect registry.npmjs.org URLs in get_sha256() and download tarballs directly via curl before hashing.
• Preserve existing GitHub release / gitgate.internal handling paths for non-npm URLs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

tmpdir cleanup is manual and only happens on the success path. With shell: bash (runs with -e), any failure in curl/shasum will exit and leave the temp directory behind. Consider adding a trap 'rm -rf "$tmpdir"' RETURN right after mktemp -d to guarantee cleanup.

[Copilot]

This conditional adds an npm special-case, but the fallback still implicitly assumes a GitHub release download URL for everything else. In this action, get_sha256 is also used with GitHub tag tarballs (.../archive/refs/tags/...), which will be mis-parsed and cause gh release download to fail. Consider gating the gh release download path on URLs that actually contain /releases/download/, and using a direct download (curl, possibly with auth) for other GitHub URLs.