From 570cf65523c43f1497b0d83591d582b069868e9f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 13 Jul 2024 10:51:49 -0400 Subject: [PATCH 1/3] attestations: widen the beta This widens the beta to include people with developer mode enabled, as well as those with HOMEBREW_DEVELOPER set in their environment. Signed-off-by: William Woodruff --- Library/Homebrew/attestation.rb | 10 ++++++++++ Library/Homebrew/formula_installer.rb | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb index 4ec51c28711d2..1c6a441f48733 100644 --- a/Library/Homebrew/attestation.rb +++ b/Library/Homebrew/attestation.rb @@ -40,6 +40,16 @@ class InvalidAttestationError < RuntimeError; end # @api private class GhAuthNeeded < RuntimeError; end + # Returns whether attestation verification is enabled. + # + # @api private + sig { returns(T::Boolean) } + def self.enabled? + Homebrew::EnvConfig.verify_attestations? \ + || Homebrew::EnvConfig.developer? \ + || Homebrew::Settings.read("devcmdrun") == "true" + end + # Returns a path to a suitable `gh` executable for attestation verification. # # @api private diff --git a/Library/Homebrew/formula_installer.rb b/Library/Homebrew/formula_installer.rb index 1d00a0a0d4ec9..f2faedbe2951b 100644 --- a/Library/Homebrew/formula_installer.rb +++ b/Library/Homebrew/formula_installer.rb @@ -1258,7 +1258,7 @@ def downloader def pour # We skip `gh` to avoid a bootstrapping cycle, in the off-chance a user attempts # to explicitly `brew install gh` without already having a version for bootstrapping. - if Homebrew::EnvConfig.verify_attestations? && formula.tap&.core_tap? && formula.name != "gh" + if Homebrew::Attestation.enabled? && formula.tap&.core_tap? && formula.name != "gh" ohai "Verifying attestation for #{formula.name}" begin Homebrew::Attestation.check_core_attestation formula.bottle From 6d8067dc2f003c1e3c9a74761acdc79ebe928bc9 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 13 Jul 2024 10:58:00 -0400 Subject: [PATCH 2/3] workflows/tests: add some tokens Signed-off-by: William Woodruff --- .github/workflows/tests.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f49997fb91805..b61a183ddd9df 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -33,6 +33,7 @@ jobs: core: false cask: false test-bot: false + token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Bundler RubyGems uses: actions/cache@v4 @@ -85,6 +86,7 @@ jobs: core: true cask: true test-bot: true + token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Bundler RubyGems uses: actions/cache@v4 From c7d5e02334baf2b3c6e2f391209302ca759eb693 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 13 Jul 2024 13:59:16 -0400 Subject: [PATCH 3/3] workflows/tests: drop my changes Signed-off-by: William Woodruff --- .github/workflows/tests.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b61a183ddd9df..f49997fb91805 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -33,7 +33,6 @@ jobs: core: false cask: false test-bot: false - token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Bundler RubyGems uses: actions/cache@v4 @@ -86,7 +85,6 @@ jobs: core: true cask: true test-bot: true - token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Bundler RubyGems uses: actions/cache@v4