diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 082718fd..0c795812 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,6 +63,11 @@ jobs: args: release --clean --skip=docker env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Separate fine-grained PAT (contents:write on the homebrew-tap + # repo) so goreleaser can push the updated formula there; the + # default GITHUB_TOKEN can't write a second repo. Consumed by + # the brews: stanza in .goreleaser.yaml. + HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} # Capture the goreleaser-emitted artifact list as JSON so the # SLSA generator can compute checksums for the binaries + diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 86b0780e..edd98ea6 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -93,6 +93,54 @@ archives: - LICENSE - README.md +# Homebrew tap — publishes Formula/pg_hardstorage.rb to the org-wide +# tap repo on each release, so `brew install cybertec-postgresql/tap/ +# pg_hardstorage` works on macOS (Apple Silicon) and Linux +# (amd64/arm64). goreleaser generates the formula from the +# pg_hardstorage archive and commits it to the tap. +# +# Auth: the default GITHUB_TOKEN can only write the current repo, so the +# push to the separate tap repo uses HOMEBREW_TAP_TOKEN (a fine-grained +# PAT scoped to contents:write on homebrew-tap), passed through in +# .github/workflows/release.yml. +brews: + - name: pg_hardstorage + # Only the pg_hardstorage CLI archive — without this filter goreleaser + # would also pull in the pg_hardstorage_testkit archive (two archives + # per OS/arch), producing an ambiguous formula. Mirrors nfpms.ids. + ids: [pg_hardstorage] + repository: + owner: cybertec-postgresql + name: homebrew-tap + token: "{{ .Env.HOMEBREW_TAP_TOKEN }}" + # Commit author for the formula bump in the tap repo. + commit_author: + name: cybertec-postgresql + email: office@cybertec.at + commit_msg_template: "pg_hardstorage: update formula to {{ .Tag }}" + homepage: "https://github.com/cybertec-postgresql/pg_hardstorage" + description: >- + PostgreSQL backup, done right — agent + CLI with continuous WAL + streaming, content-addressed dedup, envelope encryption, and + signed manifests. + license: "Apache-2.0" + # No hard PostgreSQL dependency: the agent talks to PostgreSQL over + # the replication protocol (often a *remote* DB), so forcing a local + # server build on every install is wrong. Surface the optional + # client as a caveat instead. + caveats: | + pg_hardstorage connects to PostgreSQL over the replication protocol + and needs no local PostgreSQL server. If you want the psql client + locally, install it separately: + brew install libpq # client only + brew install postgresql@18 # full server + + Docs: https://docs.pghardstorage.org + test: | + system "#{bin}/pg_hardstorage", "version" + install: | + bin.install "pg_hardstorage" + checksum: name_template: "checksums.txt" algorithm: sha256 diff --git a/CHANGELOG.md b/CHANGELOG.md index 9549d892..2d77271f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,16 @@ keeps reading that version for at least 24 months after a successor lands. ## [Unreleased] +### Packaging: publish a Homebrew formula on release + +goreleaser now generates and pushes a Homebrew formula to the org-wide +tap (cybertec-postgresql/homebrew-tap) on each release, so +`brew install cybertec-postgresql/tap/pg_hardstorage` works on macOS +(Apple Silicon) and Linux (amd64/arm64). No hard PostgreSQL dependency: +the agent talks to PostgreSQL over the replication protocol, so the +optional psql client is surfaced as a caveat instead. The formula push +uses a dedicated HOMEBREW_TAP_TOKEN secret. + ### Installer: fix and harden the curl|sh installer The `scripts/install.sh` one-liner now works against real releases: it