Open
Conversation
Replace the goreleaser-generated formula that downloaded a pre-built binary tarball and bin.installed it. The new formula downloads the GitHub-generated source archive for the tag and runs go build, matching what gh, glab, fly, and the rest of the Go CLI ecosystem do. Why this is the right shape: - brew audit --strict passes clean. The version-redundancy nag we hand-edited around twice is gone for good — there's no explicit version field to clash with the URL. - No quarantine xattr on the installed binary, so Gatekeeper never gets involved on any user's machine. No signing or notarization needed to give users a clean experience. - Same install command users already know: brew install bandwidth/tap/band. Install time goes from ~5s to ~22s, but the bulk of that is brew installing go as a build dep on machines that don't have it. - Future-proof against goreleaser's brews block being phased out - we're not using that codepath anymore. Restore --strict on the audit step now that the formula is clean. The cli repo's release workflow uses mislav/bump-homebrew-formula- action to open a PR here on each tag push, automatically updating url and sha256 to the new release's source archive. Companion change is on cli's feat/source-build-formula branch.
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the goreleaser-generated formula that downloaded a pre-built binary tarball with a source-build formula that downloads the GitHub-generated tag source archive and runs
go build. Matches whatgh,glab,fly, and the rest of the Go CLI ecosystem do.Validated locally:
brew audit --strict bandpasses clean against this formula. Install completes in ~22s on a stock machine (6s of which is the actual compile). No quarantine xattr is set on the installed binary, so Gatekeeper never gets involved on any user's machine.Changes
Formula/band.rb— full rewrite to source-build form. Drops the explicitversionfield (extracted from URL automatically), the per-arch URL splits, and the separate Linux blocks. Same formula installs cleanly on macOS arm64, macOS Intel, and Linux brew..github/workflows/ci.yml— restorebrew audit --strict(was relaxed in Skip redundant-version check in brew audit #7/Drop --strict from brew audit #8 to work around the goreleaser-generated formula's redundantversionfield; the source-build formula passes strict cleanly so we want full audit signal back).Companion change on
Bandwidth/cli(PR open) drops thebrews:block from goreleaser and adds a follow-up workflow usingmislav/bump-homebrew-formula-actionto keep this formula in sync on each release.Test plan
brew install bandwidth/tap/bandstill works for fresh installsbrew upgrade bandworks for users coming from the prior pre-built formula