fix(homebrew): formula must declare url + sha256

rahlk · rahlk · commit aa60bd77553d · 2026-06-20T16:26:33.000-04:00
`brew install` failed with "formula requires at least a URL" because the formula
had only version + depends_on. Point url at the released sdist and add its
sha256 (byte-identical to the PyPI sdist); the install method still just writes
the uv wrappers. The release `homebrew` job now hashes the published sdist and
passes SHA256 to generate_formula.sh.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -159,7 +159,12 @@ jobs:
           VERSION: ${{ steps.ver.outputs.version }}
         run: |
           chmod +x packaging/homebrew/generate_formula.sh
-          ./packaging/homebrew/generate_formula.sh > codeanalyzer-python.rb
+          # The release job just published the sdist as a Release asset; hash the
+          # exact bytes users will download so the formula checksum always matches.
+          sdist="https://github.com/${REPO}/releases/download/v${VERSION}/codeanalyzer_python-${VERSION}.tar.gz"
+          SHA256="$(curl -fLsS "$sdist" | shasum -a 256 | cut -d' ' -f1)"
+          REPO="$REPO" VERSION="$VERSION" SHA256="$SHA256" \
+            ./packaging/homebrew/generate_formula.sh > codeanalyzer-python.rb
           cat codeanalyzer-python.rb
 
       - name: Push formula to codellm-devkit/homebrew-tap
diff --git a/packaging/homebrew/generate_formula.sh b/packaging/homebrew/generate_formula.sh
@@ -14,21 +14,30 @@
 # isolated environment on first run). This keeps `brew install` sandbox-safe (no
 # network at build time) while pinning the exact released version.
 #
+# Homebrew requires every formula to declare a source `url` + `sha256` for its
+# stable spec, so we point at the released sdist (byte-identical to the PyPI one).
+# The install method ignores the unpacked source and just writes uv wrappers, but
+# the url anchors the version and satisfies Homebrew's spec requirement.
+#
 # Usage:
-#   REPO=codellm-devkit/codeanalyzer-python VERSION=0.2.0 \
+#   REPO=codellm-devkit/codeanalyzer-python VERSION=0.2.0 SHA256=<sdist sha256> \
 #     ./generate_formula.sh > codeanalyzer-python.rb
 #
 set -euo pipefail
 
 REPO="${REPO:?set REPO, e.g. codellm-devkit/codeanalyzer-python}"
 VERSION="${VERSION:?set VERSION, e.g. 0.2.0}"
+SHA256="${SHA256:?set SHA256 of the released sdist}"
+SDIST_URL="https://github.com/${REPO}/releases/download/v${VERSION}/codeanalyzer_python-${VERSION}.tar.gz"
 
 cat <<EOF
 # This file is auto-generated by packaging/homebrew/generate_formula.sh on release.
 # Do not edit by hand -- changes will be overwritten on the next tag.
 class CodeanalyzerPython < Formula
   desc "CLDK Python analyzer (canpy) -- emits canonical analysis.json or a Neo4j graph"
   homepage "https://github.com/${REPO}"
+  url "${SDIST_URL}"
+  sha256 "${SHA256}"
   version "${VERSION}"
   license "Apache-2.0"
 
