Adds a publish-homebrew job to the release workflow that renders
Formula/safe-chain.rb from a template (substituting the released
version + per-platform SHA256s parsed from the install script asset)
and pushes it to AikidoSec/homebrew-tap on every non-prerelease.
Users can then install via:
brew install AikidoSec/tap/safe-chain
safe-chain setup
The formula downloads the existing prebuilt single-file binaries
from the GitHub release (the same ones the install script uses),
so there is no extra build work in this pipeline.
One-time maintainer setup (creating the AikidoSec/homebrew-tap repo
and adding HOMEBREW_TAP_TOKEN as a secret on safe-chain) is documented
in docs/homebrew.md.
Tested locally on macOS arm64 with Homebrew 5.1.11:
- brew style: 0 offenses
- brew install --build-from-source: success
- brew test: 2 assertions pass (--version + help)
- brew audit --new: 0 offenses
This PR addresses item 1 of #372 (Homebrew only). The integrity-check
piece in item 2 has already shipped — install-safe-chain.sh already
calls verify_checksum() against the baked-in SHA256s. winget and
Chocolatey are not in scope here; see docs/homebrew.md for notes on
why they belong in separate PRs.
Bun retries blocked downloads, so the count in "blocked N malicious
package downloads" can be >1. Match on the surrounding text rather than
a fixed count to keep the assertion robust.
Also drops the brittle "pdm update updates dependencies" case.
The user-facing message is "Safe-chain: blocked N malicious package
downloads", not "blocked by safe-chain" (which only appears in the
proxy's HTTP response, not the rendered CLI output).
The safe-chain-pi-test package no longer exists on PyPI. Aikido now
patches numpy==2.4.4 into the malware list for tests, matching the
pattern already used in the poetry e2e suite.
The install message in `safe-chain setup` help was hardcoding a stale
list of package managers (missing uv, uvx, poetry, pipx, pdm). Use the
existing getPackageManagerList() helper so the list stays in sync with
knownAikidoTools.
