Skip to content

ci: allow Senzing SDK cask under Homebrew 6.0 tap trust#412

Closed
docktermj wants to merge 1 commit into
mainfrom
fix-macos-homebrew-tap-trust
Closed

ci: allow Senzing SDK cask under Homebrew 6.0 tap trust#412
docktermj wants to merge 1 commit into
mainfrom
fix-macos-homebrew-tap-trust

Conversation

@docktermj

@docktermj docktermj commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Problem

All production-v4 macOS pytest jobs are failing on main (scheduled run) and on every open PR (including #411). The break is environmental, not caused by any PR — the macOS runner image picked up Homebrew 6.0 (released 2026-06-11), which introduced tap trust.

The Install Senzing SDK step fails with:

##[error]Refusing to load cask senzing/senzingsdk/senzingsdk from untrusted tap senzing/senzingsdk.
Run `brew trust --cask senzing/senzingsdk/senzingsdk` or `brew trust senzing/senzingsdk` to trust it.

The official cask_tap_migrations redirect the short cask name senzingsdk to the third-party senzing/senzingsdk tap, and Homebrew 6.0 now refuses to load an auto-redirected cask from an untrusted tap. (staging-v4 uses a differently-named cask and currently only warns.)

Fix

Set HOMEBREW_NO_REQUIRE_TAP_TRUST=1 at the workflow level in pytest-darwin.yaml so the install action's brew install --cask is allowed during Homebrew's transition window.

This is the documented transition escape hatch. The durable fix belongs upstream in senzing-factory/github-action-install-senzing-sdk (it should brew trust the tap it installs); this unblocks CI in the meantime.

Notes

@docktermj
ci: allow Senzing SDK cask under Homebrew 6.0 tap trust
57ce6e7 
Homebrew 6.0 (2026-06-11) introduced tap trust, which refuses to load the
migration-redirected senzingsdk cask from the third-party senzing/senzingsdk
tap. macOS runner images picked this up around 2026-06-24, breaking all
production-v4 macOS pytest jobs on main and every open PR.

Set HOMEBREW_NO_REQUIRE_TAP_TRUST=1 at the workflow level so the install
action's brew install --cask succeeds during the transition.
@docktermj docktermj requested a review from a team as a code owner June 25, 2026 14:29
@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown

🤖 Claude Code Review

Code Review: .github/workflows/pytest-darwin.yaml

This is a minimal, single-file change adding one environment variable with an explanatory comment.

Code Quality

  • Style guide: YAML formatting is consistent with the existing file structure.
  • No commented-out code: The comment is explanatory (documents a non-obvious workaround), not dead code.
  • Meaningful variable names: HOMEBREW_NO_REQUIRE_TAP_TRUST is a well-known Homebrew env var; no naming decision here.
  • DRY principle: Single addition, no duplication.
  • Defects: No bugs or logic errors. The flag correctly opts out of Homebrew 6.0's tap trust enforcement. The value "1" is the correct truthy form for Homebrew env vars.
  • CLAUDE.md: No concerns — CI config change, nothing environment-specific that would affect local developers.

Testing

  • Not applicable: This is a CI workflow change, not application logic. No unit/integration tests are expected.

Documentation

  • Inline comment: The 4-line comment is exemplary — it explains why the flag is needed, references the Homebrew version and date, and describes the failure mode it avoids. This is exactly the kind of non-obvious workaround that warrants a comment.
  • CHANGELOG.md: Not updated. Depending on project convention, CI infrastructure changes may or may not warrant a changelog entry — worth confirming.
  • README/API docs: No user-facing behavior change; no doc update needed.

Security

  • No hardcoded credentials.
  • No sensitive data.
  • No license files.
  • ⚠️ Minor security note: HOMEBREW_NO_REQUIRE_TAP_TRUST=1 disables a Homebrew security feature (tap trust verification) for the entire macOS runner job. This is acceptable as a temporary workaround during the Senzing SDK tap transition, but the comment should ideally include a tracking note (e.g., a link to an upstream issue or a TODO to remove it once the cask is migrated to a trusted tap). Without that, this flag risks becoming permanent/forgotten.

Summary

Approve with minor note. The change is correct and well-documented. The one suggestion: add a reference (upstream issue URL or explicit removal condition) to the comment so this workaround doesn't silently persist after the Senzing tap is migrated. Confirm whether a CHANGELOG entry is required per project convention.

Automated code review analyzing defects and coding standards

@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@docktermj docktermj mentioned this pull request Jun 25, 2026
Closed
@docktermj docktermj self-assigned this Jun 25, 2026
@docktermj docktermj closed this Jun 25, 2026
@docktermj docktermj deleted the fix-macos-homebrew-tap-trust branch June 25, 2026 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@docktermj docktermj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@docktermj @senzingdevops