Preserve GitHub token during eval#22431
Merged
Merged
Conversation
3 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts Homebrew’s “sensitive env scrubbing” during formula/cask evaluation to avoid breaking private-tap workflows that rely on HOMEBREW_GITHUB_API_TOKEN at load time, while keeping scrubbing in place for other sensitive variables by default.
Changes:
- Introduce an eval-specific env scrubbing helper that preserves
HOMEBREW_GITHUB_API_TOKEN, and wire formula + cask loaders to use it. - Add
HOMEBREW_NO_EVAL_ENV_SCRUBBINGas a temporary opt-out to disable eval-time scrubbing entirely. - Add/extend unit tests and update Sorbet RBI for the new EnvConfig boolean.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| Library/Homebrew/test/formulary_spec.rb | Adds coverage for GitHub token preservation and the opt-out during formula evaluation. |
| Library/Homebrew/test/ENV_spec.rb | Adds coverage for clear_sensitive_environment! exceptions support. |
| Library/Homebrew/test/cask/cask_loader_spec.rb | Adds coverage for GitHub token preservation and the opt-out during cask evaluation. |
| Library/Homebrew/sorbet/rbi/dsl/homebrew/env_config.rbi | Adds RBI for no_eval_env_scrubbing?. |
| Library/Homebrew/formulary.rb | Switches formula evaluation to the eval-specific env scrubbing helper. |
| Library/Homebrew/extend/ENV/sensitive.rb | Adds exception support and eval-specific scrubbing behavior (incl. token allowlist + opt-out). |
| Library/Homebrew/env_config.rb | Adds HOMEBREW_NO_EVAL_ENV_SCRUBBING EnvConfig entry. |
| Library/Homebrew/cask/cask_loader.rb | Switches cask evaluation to the eval-specific env scrubbing helper. |
Files not reviewed (1)
- Library/Homebrew/sorbet/rbi/dsl/homebrew/env_config.rbi: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Keep `$HOMEBREW_GITHUB_API_TOKEN` available while formulae and casks are evaluated so private taps can keep resolving assets. - Share the eval scrubbing policy through `ENV` so formula and cask loaders do not drift. - Add temporary `HOMEBREW_NO_EVAL_ENV_SCRUBBING` for users who need a short-term escape hatch while private taps migrate.
MikeMcQuaid
force-pushed
the
preserve-github-token-eval
branch
from
ebdddaf to
ef45fef
Compare
bevanjkay
approved these changes
May 27, 2026
p-linnane
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #22430
$HOMEBREW_GITHUB_API_TOKENavailable while formulae and casks are evaluated so private taps can keep resolving assets.ENVso formula and cask loaders do not drift.HOMEBREW_NO_EVAL_ENV_SCRUBBINGfor users who need a short-term escape hatch while private taps migrate.brew lgtm(style, typechecking and tests) with your changes locally?OpenAI Codex 5.5 xhigh with local review and testing.