From dc896c8a9892515e79377594ada9ef803d1f935a Mon Sep 17 00:00:00 2001 From: Kush Date: Mon, 29 Jun 2026 16:16:19 -0400 Subject: [PATCH 1/2] ci(release): issue Homebrew tap token via Vault instead of a static PAT Replace the hardcoded HOMEBREW_TAP_TOKEN secret in the bump-formula job with a short-lived GitHub PAT minted by Bandwidth/vault-provider-action (OIDC -> Vault, 1h TTL, auto-revoked). Scope follows the repo's BAND SWI durable team via identity-source: repo, so it no longer depends on who cuts the release. Adds a temporary workflow_dispatch job to validate the issued token can reach the tap before the next real release; delete it once proven. --- .github/workflows/release.yml | 12 +++++++- .github/workflows/validate-tap-token.yml | 35 ++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/validate-tap-token.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a9e094..1aafe27 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -85,7 +85,17 @@ jobs: bump-formula: needs: [release] runs-on: ubuntu-latest + permissions: + id-token: write + contents: read steps: + - name: Get Homebrew tap token from Vault + uses: Bandwidth/vault-provider-action@v1 + with: + export-github-pat: true + identity-source: repo + durable-team-name: BAND SWI + - name: Bump Homebrew formula uses: mislav/bump-homebrew-formula-action@v3 with: @@ -97,4 +107,4 @@ jobs: commit-message: | {{formulaName}} {{version}} env: - COMMITTER_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} + COMMITTER_TOKEN: ${{ env.GITHUB_TEAM_ACCESS_TOKEN }} diff --git a/.github/workflows/validate-tap-token.yml b/.github/workflows/validate-tap-token.yml new file mode 100644 index 0000000..7ab39fc --- /dev/null +++ b/.github/workflows/validate-tap-token.yml @@ -0,0 +1,35 @@ +# TEMPORARY: validates that the Vault-issued GitHub PAT can reach the Homebrew +# tap before relying on it in the real release pipeline. Delete this file once +# a release has bumped the formula successfully via vault-provider-action. +name: Validate tap token (temp) + +on: + workflow_dispatch: + +jobs: + validate: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - name: Get Homebrew tap token from Vault + uses: Bandwidth/vault-provider-action@v1 + with: + export-github-pat: true + identity-source: repo + durable-team-name: BAND SWI + + - name: Verify token can write to the tap + env: + GH_TOKEN: ${{ env.GITHUB_TEAM_ACCESS_TOKEN }} + run: | + echo "Permissions the Vault token holds on Bandwidth/homebrew-tap:" + perms=$(gh api repos/Bandwidth/homebrew-tap --jq '.permissions') + echo "$perms" + if echo "$perms" | grep -q '"push":true'; then + echo "OK: token has write access to the tap." + else + echo "FAIL: token lacks write access to the tap." + exit 1 + fi From aed857ecec3c3c76514ea1c4c21417b4a0ce1bac Mon Sep 17 00:00:00 2001 From: Kush Date: Mon, 29 Jun 2026 16:21:08 -0400 Subject: [PATCH 2/2] ci(release): drop temporary tap-token validation workflow The formula bump is the terminal release job and failure is cheap and recoverable, so a dedicated pre-validation workflow isn't worth the cleanup overhead. --- .github/workflows/validate-tap-token.yml | 35 ------------------------ 1 file changed, 35 deletions(-) delete mode 100644 .github/workflows/validate-tap-token.yml diff --git a/.github/workflows/validate-tap-token.yml b/.github/workflows/validate-tap-token.yml deleted file mode 100644 index 7ab39fc..0000000 --- a/.github/workflows/validate-tap-token.yml +++ /dev/null @@ -1,35 +0,0 @@ -# TEMPORARY: validates that the Vault-issued GitHub PAT can reach the Homebrew -# tap before relying on it in the real release pipeline. Delete this file once -# a release has bumped the formula successfully via vault-provider-action. -name: Validate tap token (temp) - -on: - workflow_dispatch: - -jobs: - validate: - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - steps: - - name: Get Homebrew tap token from Vault - uses: Bandwidth/vault-provider-action@v1 - with: - export-github-pat: true - identity-source: repo - durable-team-name: BAND SWI - - - name: Verify token can write to the tap - env: - GH_TOKEN: ${{ env.GITHUB_TEAM_ACCESS_TOKEN }} - run: | - echo "Permissions the Vault token holds on Bandwidth/homebrew-tap:" - perms=$(gh api repos/Bandwidth/homebrew-tap --jq '.permissions') - echo "$perms" - if echo "$perms" | grep -q '"push":true'; then - echo "OK: token has write access to the tap." - else - echo "FAIL: token lacks write access to the tap." - exit 1 - fi