Add HOMEBREW_FORBID_CASKS to allow forbidding all casks.

`HOMEBREW_FORBIDDEN_CASKS` allows forbidding specific casks but, in some
cases, you may wish to forbid all casks from installation.

Library/Homebrew/cask/installer.rb

@@ -692,9 +692,10 @@ on_request: true)
 
     sig { void }
     def forbidden_cask_and_formula_check
+      forbid_casks = Homebrew::EnvConfig.forbid_casks?
       forbidden_formulae = Set.new(Homebrew::EnvConfig.forbidden_formulae.to_s.split)
       forbidden_casks = Set.new(Homebrew::EnvConfig.forbidden_casks.to_s.split)
-      return if forbidden_formulae.blank? && forbidden_casks.blank?
+      return if !forbid_casks && forbidden_formulae.blank? && forbidden_casks.blank?
 
       owner = Homebrew::EnvConfig.forbidden_owner
       owner_contact = if (contact = Homebrew::EnvConfig.forbidden_owner_contact.presence)
@@ -705,7 +706,7 @@ on_request: true)
         cask_and_formula_dependencies.each do |dep_cask_or_formula|
           dep_name, dep_type, variable = if dep_cask_or_formula.is_a?(Cask) && forbidden_casks.present?
             dep_cask = dep_cask_or_formula
-            dep_cask_name = if forbidden_casks.include?(dep_cask.token)
+            dep_cask_name = if forbid_casks ||forbidden_casks.include?(dep_cask.token)
               dep_cask.token
             elsif dep_cask.tap.present? &&
                   forbidden_casks.include?(dep_cask.full_name)
@@ -731,9 +732,9 @@ on_request: true)
           )
         end
       end
-      return if forbidden_casks.blank?
+      return if !forbid_casks && forbidden_casks.blank?
 
-      if forbidden_casks.include?(@cask.token)
+      if forbid_casks || forbidden_casks.include?(@cask.token)
         @cask.token
       elsif forbidden_casks.include?(@cask.full_name)
         @cask.full_name

Library/Homebrew/env_config.rb

@@ -226,6 +226,10 @@ module Homebrew
         description: "A space-separated list of taps. Homebrew will refuse to install a " \
                      "formula if it or any of its dependencies is in a tap on this list.",
       },
+      HOMEBREW_FORBID_CASKS:                     {
+        description: "If set, Homebrew will refuse to install any casks.",
+        boolean:     true,
+      },
       HOMEBREW_FORBID_PACKAGES_FROM_PATHS:       {
         description: "If set, Homebrew will refuse to read formulae or casks provided from file paths, " \
                      "e.g. `brew install ./package.rb`.",

Library/Homebrew/sorbet/rbi/dsl/homebrew/env_config.rbi

@@ -121,6 +121,9 @@ module Homebrew::EnvConfig
     sig { returns(Integer) }
     def fail_log_lines; end
 
+    sig { returns(T::Boolean) }
+    def forbid_casks?; end
+
     sig { returns(T::Boolean) }
     def forbid_packages_from_paths?; end
 

docs/Manpage.md

@@ -4055,6 +4055,10 @@ command execution e.g. `$(cat file)`.
 : A space-separated list of taps. Homebrew will refuse to install a formula if
   it or any of its dependencies is in a tap on this list.
 
+`HOMEBREW_FORBID_CASKS`
+
+: If set, Homebrew will refuse to install any casks.
+
 `HOMEBREW_FORBID_PACKAGES_FROM_PATHS`
 
 : If set, Homebrew will refuse to read formulae or casks provided from file

manpages/brew.1

@@ -1,5 +1,5 @@
 .\" generated by kramdown
-.TH "BREW" "1" "April 2025" "Homebrew"
+.TH "BREW" "1" "May 2025" "Homebrew"
 .SH NAME
 brew \- The Missing Package Manager for macOS (or Linux)
 .SH "SYNOPSIS"
@@ -2642,6 +2642,9 @@ How to contact the \fB$HOMEBREW_FORBIDDEN_OWNER\fP, if set and necessary\.
 \fBHOMEBREW_FORBIDDEN_TAPS\fP
 A space\-separated list of taps\. Homebrew will refuse to install a formula if it or any of its dependencies is in a tap on this list\.
 .TP
+\fBHOMEBREW_FORBID_CASKS\fP
+If set, Homebrew will refuse to install any casks\.
+.TP
 \fBHOMEBREW_FORBID_PACKAGES_FROM_PATHS\fP
 If set, Homebrew will refuse to read formulae or casks provided from file paths, e\.g\. \fBbrew install \./package\.rb\fP\&\.
 .TP