Adds a publish-homebrew job to the release workflow that renders
Formula/safe-chain.rb from a template (substituting the released
version + per-platform SHA256s parsed from the install script asset)
and pushes it to AikidoSec/homebrew-tap on every non-prerelease.
Users can then install via:
brew install AikidoSec/tap/safe-chain
safe-chain setup
The formula downloads the existing prebuilt single-file binaries
from the GitHub release (the same ones the install script uses),
so there is no extra build work in this pipeline.
One-time maintainer setup (creating the AikidoSec/homebrew-tap repo
and adding HOMEBREW_TAP_TOKEN as a secret on safe-chain) is documented
in docs/homebrew.md.
Tested locally on macOS arm64 with Homebrew 5.1.11:
- brew style: 0 offenses
- brew install --build-from-source: success
- brew test: 2 assertions pass (--version + help)
- brew audit --new: 0 offenses
This PR addresses item 1 of #372 (Homebrew only). The integrity-check
piece in item 2 has already shipped — install-safe-chain.sh already
calls verify_checksum() against the baked-in SHA256s. winget and
Chocolatey are not in scope here; see docs/homebrew.md for notes on
why they belong in separate PRs.
Add uvx as a supported package manager so that `uvx` commands are
routed through safe-chain's MITM proxy for malware detection, just
like `uv`. Previously, `uvx` bypassed all safe-chain protections.
The uvx package manager reuses the existing uv command runner since
uvx is functionally equivalent to `uv tool run`.
Fixes#268
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
