From 6f6a60d9360b876dbdae58b33adde05c567d5fd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-J=C3=BCrgen=20Sch=C3=B6nig?= Date: Mon, 22 Jun 2026 16:22:21 +0200 Subject: [PATCH 1/2] packaging: publish a Homebrew formula on release Add a brews: stanza to .goreleaser.yaml so each release generates and pushes Formula/pg_hardstorage.rb to the org-wide tap (cybertec-postgresql/homebrew-tap), making 'brew install cybertec-postgresql/tap/pg_hardstorage' work on macOS (Apple Silicon) and Linux (amd64/arm64). No hard PostgreSQL dependency: the agent talks to PostgreSQL over the replication protocol (often a remote DB), so a forced local server build on install would be wrong - the optional psql client is surfaced as a caveat instead. The formula push targets a second repo, which the default GITHUB_TOKEN can't write, so release.yml passes a dedicated HOMEBREW_TAP_TOKEN (fine-grained PAT, contents:write on homebrew-tap only) through to goreleaser. --- .github/workflows/release.yml | 5 ++++ .goreleaser.yaml | 44 +++++++++++++++++++++++++++++++++++ CHANGELOG.md | 10 ++++++++ 3 files changed, 59 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 082718fd..0c795812 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,6 +63,11 @@ jobs: args: release --clean --skip=docker env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Separate fine-grained PAT (contents:write on the homebrew-tap + # repo) so goreleaser can push the updated formula there; the + # default GITHUB_TOKEN can't write a second repo. Consumed by + # the brews: stanza in .goreleaser.yaml. + HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} # Capture the goreleaser-emitted artifact list as JSON so the # SLSA generator can compute checksums for the binaries + diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 86b0780e..4506c1f6 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -93,6 +93,50 @@ archives: - LICENSE - README.md +# Homebrew tap — publishes Formula/pg_hardstorage.rb to the org-wide +# tap repo on each release, so `brew install cybertec-postgresql/tap/ +# pg_hardstorage` works on macOS (Apple Silicon) and Linux +# (amd64/arm64). goreleaser generates the formula from the +# pg_hardstorage archive and commits it to the tap. +# +# Auth: the default GITHUB_TOKEN can only write the current repo, so the +# push to the separate tap repo uses HOMEBREW_TAP_TOKEN (a fine-grained +# PAT scoped to contents:write on homebrew-tap), passed through in +# .github/workflows/release.yml. +brews: + - name: pg_hardstorage + repository: + owner: cybertec-postgresql + name: homebrew-tap + token: "{{ .Env.HOMEBREW_TAP_TOKEN }}" + # Commit author for the formula bump in the tap repo. + commit_author: + name: cybertec-postgresql + email: office@cybertec.at + commit_msg_template: "pg_hardstorage: update formula to {{ .Tag }}" + homepage: "https://github.com/cybertec-postgresql/pg_hardstorage" + description: >- + PostgreSQL backup, done right — agent + CLI with continuous WAL + streaming, content-addressed dedup, envelope encryption, and + signed manifests. + license: "Apache-2.0" + # No hard PostgreSQL dependency: the agent talks to PostgreSQL over + # the replication protocol (often a *remote* DB), so forcing a local + # server build on every install is wrong. Surface the optional + # client as a caveat instead. + caveats: | + pg_hardstorage connects to PostgreSQL over the replication protocol + and needs no local PostgreSQL server. If you want the psql client + locally, install it separately: + brew install libpq # client only + brew install postgresql@18 # full server + + Docs: https://docs.pghardstorage.org + test: | + system "#{bin}/pg_hardstorage", "version" + install: | + bin.install "pg_hardstorage" + checksum: name_template: "checksums.txt" algorithm: sha256 diff --git a/CHANGELOG.md b/CHANGELOG.md index 76e7eb5f..ee643493 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,16 @@ keeps reading that version for at least 24 months after a successor lands. ## [Unreleased] +### Packaging: publish a Homebrew formula on release + +goreleaser now generates and pushes a Homebrew formula to the org-wide +tap (cybertec-postgresql/homebrew-tap) on each release, so +`brew install cybertec-postgresql/tap/pg_hardstorage` works on macOS +(Apple Silicon) and Linux (amd64/arm64). No hard PostgreSQL dependency: +the agent talks to PostgreSQL over the replication protocol, so the +optional psql client is surfaced as a caveat instead. The formula push +uses a dedicated HOMEBREW_TAP_TOKEN secret. + ### Docs: publish the documentation site to GitHub Pages The docs CI built and validated the site but never published it. A From 62409a6f980999e680793fbea3fa0b920c8591a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-J=C3=BCrgen=20Sch=C3=B6nig?= Date: Mon, 22 Jun 2026 16:40:34 +0200 Subject: [PATCH 2/2] release(brew): scope the formula to the pg_hardstorage archive The repo builds two archives per OS/arch (pg_hardstorage and pg_hardstorage_testkit). Without an ids filter the brews stanza pulls in both, yielding an ambiguous/incorrect formula. Pin ids: [pg_hardstorage] (mirroring nfpms.ids) so only the CLI archive is published. Verified with a snapshot build: formula resolves darwin/arm64 + linux/amd64,arm64 to the pg_hardstorage tarballs only. --- .goreleaser.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 4506c1f6..edd98ea6 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -105,6 +105,10 @@ archives: # .github/workflows/release.yml. brews: - name: pg_hardstorage + # Only the pg_hardstorage CLI archive — without this filter goreleaser + # would also pull in the pg_hardstorage_testkit archive (two archives + # per OS/arch), producing an ambiguous formula. Mirrors nfpms.ids. + ids: [pg_hardstorage] repository: owner: cybertec-postgresql name: homebrew-tap