mirror of
https://github.com/AikidoSec/safe-chain.git
synced 2026-05-26 12:10:49 +00:00
Add Homebrew tap for safe-chain (closes #372)
Adds a publish-homebrew job to the release workflow that renders Formula/safe-chain.rb from a template (substituting the released version + per-platform SHA256s parsed from the install script asset) and pushes it to AikidoSec/homebrew-tap on every non-prerelease. Users can then install via: brew install AikidoSec/tap/safe-chain safe-chain setup The formula downloads the existing prebuilt single-file binaries from the GitHub release (the same ones the install script uses), so there is no extra build work in this pipeline. One-time maintainer setup (creating the AikidoSec/homebrew-tap repo and adding HOMEBREW_TAP_TOKEN as a secret on safe-chain) is documented in docs/homebrew.md. Tested locally on macOS arm64 with Homebrew 5.1.11: - brew style: 0 offenses - brew install --build-from-source: success - brew test: 2 assertions pass (--version + help) - brew audit --new: 0 offenses This PR addresses item 1 of #372 (Homebrew only). The integrity-check piece in item 2 has already shipped — install-safe-chain.sh already calls verify_checksum() against the baked-in SHA256s. winget and Chocolatey are not in scope here; see docs/homebrew.md for notes on why they belong in separate PRs.
This commit is contained in:
Ethan Setnik
parent
65a8075b0e
commit
e976d100f3
3 changed files with 306 additions and 0 deletions
181
.github/workflows/build-and-release.yml
vendored
181
.github/workflows/build-and-release.yml
vendored
|
|
@ -130,6 +130,187 @@ jobs:
|
|||
release-artifacts/uninstall-endpoint-mac.sh \
|
||||
release-artifacts/uninstall-endpoint-windows.ps1
|
||||
|
||||
publish-homebrew:
|
||||
name: Update Homebrew tap
|
||||
if: github.event_name == 'release' && !github.event.release.prerelease
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Extract SHA256 checksums from the released install script
|
||||
env:
|
||||
VERSION: ${{ github.event.release.tag_name }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# The release pipeline already bakes per-platform SHA256s into
|
||||
# install-safe-chain.sh. Parse them out instead of re-downloading
|
||||
# ~200MB of binaries just to recompute the same hashes.
|
||||
curl -fsSL --retry 3 \
|
||||
"https://github.com/AikidoSec/safe-chain/releases/download/${VERSION}/install-safe-chain.sh" \
|
||||
-o install-safe-chain.sh
|
||||
|
||||
extract_sha() {
|
||||
grep -E "^${1}=\"[a-f0-9]+\"" install-safe-chain.sh \
|
||||
| head -n1 \
|
||||
| sed -E "s/^${1}=\"([a-f0-9]+)\"/\1/"
|
||||
}
|
||||
|
||||
{
|
||||
echo "SHA_MACOS_X64=$(extract_sha SHA256_MACOS_X64)"
|
||||
echo "SHA_MACOS_ARM64=$(extract_sha SHA256_MACOS_ARM64)"
|
||||
echo "SHA_LINUX_X64=$(extract_sha SHA256_LINUX_X64)"
|
||||
echo "SHA_LINUX_ARM64=$(extract_sha SHA256_LINUX_ARM64)"
|
||||
} >> "$GITHUB_ENV"
|
||||
|
||||
- name: Verify all checksums were extracted
|
||||
run: |
|
||||
set -euo pipefail
|
||||
missing=()
|
||||
for var in SHA_MACOS_X64 SHA_MACOS_ARM64 SHA_LINUX_X64 SHA_LINUX_ARM64; do
|
||||
if [ -z "${!var:-}" ]; then
|
||||
missing+=("$var")
|
||||
fi
|
||||
done
|
||||
if [ ${#missing[@]} -gt 0 ]; then
|
||||
echo "::error::Could not extract checksum(s) from install-safe-chain.sh: ${missing[*]}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Checkout Homebrew tap
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
repository: AikidoSec/homebrew-tap
|
||||
path: homebrew-tap
|
||||
token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
|
||||
persist-credentials: true
|
||||
|
||||
- name: Render formula from template
|
||||
env:
|
||||
VERSION: ${{ github.event.release.tag_name }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
mkdir -p homebrew-tap/Formula
|
||||
|
||||
# Quoted heredoc preserves Ruby `#{version}` interpolation and the
|
||||
# backticks inside the caveats string. Placeholders are substituted
|
||||
# with sed below, after the heredoc is written.
|
||||
cat > homebrew-tap/Formula/safe-chain.rb <<'RUBY'
|
||||
# typed: strict
|
||||
# frozen_string_literal: true
|
||||
|
||||
# This file is auto-generated by AikidoSec/safe-chain's release
|
||||
# workflow. Do not edit by hand — changes will be overwritten on
|
||||
# the next release.
|
||||
#
|
||||
# Aikido Safe Chain wraps your package managers (npm, yarn, pnpm,
|
||||
# pip, poetry, uv, ...) and blocks installations of known-malicious
|
||||
# packages using the Aikido Intel feed.
|
||||
class SafeChain < Formula
|
||||
desc "Block malicious packages from npm, yarn, pnpm, pip, poetry and uv"
|
||||
homepage "https://github.com/AikidoSec/safe-chain"
|
||||
version "__VERSION__"
|
||||
license "AGPL-3.0-or-later"
|
||||
|
||||
livecheck do
|
||||
url :stable
|
||||
strategy :github_latest
|
||||
end
|
||||
|
||||
on_macos do
|
||||
on_arm do
|
||||
url "https://github.com/AikidoSec/safe-chain/releases/download/#{version}/safe-chain-macos-arm64",
|
||||
using: :nounzip
|
||||
sha256 "__SHA_MACOS_ARM64__"
|
||||
end
|
||||
on_intel do
|
||||
url "https://github.com/AikidoSec/safe-chain/releases/download/#{version}/safe-chain-macos-x64",
|
||||
using: :nounzip
|
||||
sha256 "__SHA_MACOS_X64__"
|
||||
end
|
||||
end
|
||||
|
||||
on_linux do
|
||||
on_arm do
|
||||
url "https://github.com/AikidoSec/safe-chain/releases/download/#{version}/safe-chain-linux-arm64",
|
||||
using: :nounzip
|
||||
sha256 "__SHA_LINUX_ARM64__"
|
||||
end
|
||||
on_intel do
|
||||
url "https://github.com/AikidoSec/safe-chain/releases/download/#{version}/safe-chain-linux-x64",
|
||||
using: :nounzip
|
||||
sha256 "__SHA_LINUX_X64__"
|
||||
end
|
||||
end
|
||||
|
||||
def install
|
||||
binary_name = if OS.mac?
|
||||
Hardware::CPU.arm? ? "safe-chain-macos-arm64" : "safe-chain-macos-x64"
|
||||
else
|
||||
Hardware::CPU.arm? ? "safe-chain-linux-arm64" : "safe-chain-linux-x64"
|
||||
end
|
||||
|
||||
chmod 0755, binary_name
|
||||
bin.install binary_name => "safe-chain"
|
||||
end
|
||||
|
||||
def caveats
|
||||
<<~CAVEATS
|
||||
Aikido Safe Chain works by wrapping your package managers (npm, yarn,
|
||||
pnpm, pip, poetry, uv, ...) with shell aliases. After installing, run:
|
||||
|
||||
safe-chain setup
|
||||
|
||||
For CI/non-interactive environments, use:
|
||||
|
||||
safe-chain setup-ci
|
||||
|
||||
Then restart your shell (or `source ~/.zshrc` / `~/.bashrc`) so the
|
||||
new aliases are picked up.
|
||||
CAVEATS
|
||||
end
|
||||
|
||||
test do
|
||||
assert_match version.to_s, shell_output("#{bin}/safe-chain --version")
|
||||
assert_match "safe-chain setup", shell_output("#{bin}/safe-chain help")
|
||||
end
|
||||
end
|
||||
RUBY
|
||||
|
||||
sed -i \
|
||||
-e "s|__VERSION__|${VERSION}|g" \
|
||||
-e "s|__SHA_MACOS_ARM64__|${SHA_MACOS_ARM64}|g" \
|
||||
-e "s|__SHA_MACOS_X64__|${SHA_MACOS_X64}|g" \
|
||||
-e "s|__SHA_LINUX_ARM64__|${SHA_LINUX_ARM64}|g" \
|
||||
-e "s|__SHA_LINUX_X64__|${SHA_LINUX_X64}|g" \
|
||||
homebrew-tap/Formula/safe-chain.rb
|
||||
|
||||
# Fail fast if any placeholder wasn't substituted (e.g. a new
|
||||
# __XXX__ added to the template without a matching sed rule).
|
||||
if grep -q "__[A-Z_]*__" homebrew-tap/Formula/safe-chain.rb; then
|
||||
echo "::error::Unsubstituted placeholder(s) remain in the formula:"
|
||||
grep -n "__[A-Z_]*__" homebrew-tap/Formula/safe-chain.rb
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Commit and push formula update
|
||||
working-directory: homebrew-tap
|
||||
env:
|
||||
VERSION: ${{ github.event.release.tag_name }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git config user.name "github-actions[bot]"
|
||||
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||
|
||||
git add Formula/safe-chain.rb
|
||||
|
||||
if git diff --staged --quiet; then
|
||||
echo "No formula changes to commit."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
git commit -m "safe-chain ${VERSION}"
|
||||
git push
|
||||
|
||||
publish-npm:
|
||||
name: Publish to npm
|
||||
if: github.event_name == 'release'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue