Skip to content

ci(release): issue Homebrew tap token via Vault instead of a static PAT#15

Closed
kshahbw wants to merge 2 commits into
mainfrom
ci/homebrew-tap-vault-token
Closed

ci(release): issue Homebrew tap token via Vault instead of a static PAT#15
kshahbw wants to merge 2 commits into
mainfrom
ci/homebrew-tap-vault-token

Conversation

@kshahbw

@kshahbw kshahbw commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

What

Swaps the dead HOMEBREW_TAP_TOKEN static PAT in the bump-formula release job for a short-lived GitHub PAT minted by Bandwidth/vault-provider-action@v1 (export-github-pat: true). The token is issued via OIDC → Vault, lives for one hour, and is auto-revoked at the end of the job.

Scope is pinned to the repo's BAND SWI durable team via identity-source: repo, so the bump no longer depends on which person cut the release.

Why

The hardcoded tap PAT no longer works, so the formula bump is currently broken. This removes the static-secret dependency entirely.

After merge

  1. Cut the next release; confirm the bump PR opens on Bandwidth/homebrew-tap.
  2. Delete the stale HOMEBREW_TAP_TOKEN repo secret.

The bump is the terminal release job, so if the token is misconfigured the release artifacts are still clean — re-run the bump after fixing.

Prereq (satisfied)

BAND SWI owns Bandwidth/homebrew-tap, which is what scopes the issued token.

Replace the hardcoded HOMEBREW_TAP_TOKEN secret in the bump-formula job
with a short-lived GitHub PAT minted by Bandwidth/vault-provider-action
(OIDC -> Vault, 1h TTL, auto-revoked). Scope follows the repo's BAND SWI
durable team via identity-source: repo, so it no longer depends on who
cuts the release.

Adds a temporary workflow_dispatch job to validate the issued token can
reach the tap before the next real release; delete it once proven.
@kshahbw kshahbw requested review from a team as code owners June 29, 2026 20:16
@bwappsec

bwappsec commented Jun 29, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

The formula bump is the terminal release job and failure is cheap and
recoverable, so a dedicated pre-validation workflow isn't worth the
cleanup overhead.
@kshahbw

kshahbw commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Public repos don't support the vault provider action.

@kshahbw kshahbw closed this Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants