Merge pull request #19839 from Homebrew/tap-new-for-private-repos

dev-cmd/tap-new: support private repos

Library/Homebrew/dev-cmd/tap-new.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "abstract_command"
+require "erb"
 require "fileutils"
 require "tap"
 require "utils/uid"
@@ -72,13 +73,13 @@ module Homebrew
         # <!-- vale on -->
         write_path(tap, "README.md", readme)
 
-        actions_main = <<~YAML
+        tests_yml = <<~ERB
           name: brew test-bot
 
           on:
             push:
               branches:
-                - #{branch}
+                - <%= branch %>
             pull_request:
 
           jobs:
@@ -87,10 +88,20 @@ module Homebrew
                 matrix:
                   os: [ ubuntu-22.04, macos-13, macos-15 ]
               runs-on: ${{ matrix.os }}
+              permissions:
+                actions: read
+                checks: read
+                contents: read
+          <% if  args.github_packages? -%>
+                packages: read
+          <% end  -%>
+                pull-requests: read
               steps:
                 - name: Set up Homebrew
                   id: set-up-homebrew
                   uses: Homebrew/actions/setup-homebrew@master
+                  with:
+                    token: ${{ github.token }}
 
                 - name: Cache Homebrew Bundler RubyGems
                   uses: actions/cache@v4
@@ -104,9 +115,23 @@ module Homebrew
                 - run: brew test-bot --only-setup
 
                 - run: brew test-bot --only-tap-syntax
-
-                - run: brew test-bot --only-formulae#{" --root-url='#{root_url}'" if root_url}
+          <% if  args.github_packages? -%>
+                - name: Base64-encode GITHUB_TOKEN for HOMEBREW_DOCKER_REGISTRY_TOKEN
+                  id: base64-encode
                   if: github.event_name == 'pull_request'
+                  env:
+                    TOKEN: ${{ github.token }}
+                  run: |
+                    base64_token=$(echo -n "${TOKEN}" | base64 | tr -d "\\n")
+                    echo "::add-mask::${base64_token}"
+                    echo "token=${base64_token}" >> "${GITHUB_OUTPUT}"
+          <% end  -%>
+                - run: brew test-bot --only-formulae<% if  root_url %> --root-url='<%= root_url %>'<% end  %>
+                  if: github.event_name == 'pull_request'
+          <% if  args.github_packages? -%>
+                  env:
+                    HOMEBREW_DOCKER_REGISTRY_TOKEN: ${{ steps.base64-encode.outputs.token }}
+          <% end  -%>
 
                 - name: Upload bottles as artifact
                   if: always() && github.event_name == 'pull_request'
@@ -114,21 +139,9 @@ module Homebrew
                   with:
                     name: bottles_${{ matrix.os }}
                     path: '*.bottle.*'
-        YAML
+        ERB
 
-        pr_pull_permissions = {
-          "contents"      => "write",
-          "pull-requests" => "write",
-        }
-        pr_pull_env = {
-          "HOMEBREW_GITHUB_API_TOKEN" => "${{ github.token }}",
-        }
-        if args.github_packages?
-          pr_pull_permissions["packages"] = "write"
-          pr_pull_env["HOMEBREW_GITHUB_PACKAGES_TOKEN"] = "${{ github.token }}"
-          pr_pull_env["HOMEBREW_GITHUB_PACKAGES_USER"] = "${{ github.repository_owner }}"
-        end
-        actions_publish = <<~YAML
+        publish_yml = <<~ERB
           name: brew pr-pull
 
           on:
@@ -138,39 +151,51 @@ module Homebrew
 
           jobs:
             pr-pull:
-              if: contains(github.event.pull_request.labels.*.name, '#{label}')
+              if: contains(github.event.pull_request.labels.*.name, '<%= label %>')
               runs-on: ubuntu-22.04
               permissions:
-          #{pr_pull_permissions.sort.map { |k, v| "      #{k}: #{v}" }.join("\n")}
+                actions: read
+                checks: read
+                contents: write
+                issues: read
+          <% if  args.github_packages? -%>
+                packages: write
+          <% end  -%>
+                pull-requests: write
               steps:
                 - name: Set up Homebrew
                   uses: Homebrew/actions/setup-homebrew@master
+                  with:
+                    token: ${{ github.token }}
 
                 - name: Set up git
                   uses: Homebrew/actions/git-user-config@master
 
                 - name: Pull bottles
                   env:
-          #{pr_pull_env.sort.map { |k, v| "          #{k}: #{v}" }.join("\n")}
+                    HOMEBREW_GITHUB_API_TOKEN: ${{ github.token }}
+          <% if  args.github_packages? -%>
+                    HOMEBREW_GITHUB_PACKAGES_TOKEN: ${{ github.token }}
+                    HOMEBREW_GITHUB_PACKAGES_USER: ${{ github.repository_owner }}
+          <% end  -%>
                     PULL_REQUEST: ${{ github.event.pull_request.number }}
                   run: brew pr-pull --debug --tap="$GITHUB_REPOSITORY" "$PULL_REQUEST"
 
                 - name: Push commits
                   uses: Homebrew/actions/git-try-push@master
                   with:
-                    token: ${{ github.token }}
-                    branch: #{branch}
+                    branch: <%= branch %>
 
                 - name: Delete branch
                   if: github.event.pull_request.head.repo.fork == false
                   env:
                     BRANCH: ${{ github.event.pull_request.head.ref }}
                   run: git push --delete origin "$BRANCH"
-        YAML
+        ERB
 
         (tap.path/".github/workflows").mkpath
-        write_path(tap, ".github/workflows/tests.yml", actions_main)
-        write_path(tap, ".github/workflows/publish.yml", actions_publish)
+        write_path(tap, ".github/workflows/tests.yml", ERB.new(tests_yml, trim_mode: "-").result(binding))
+        write_path(tap, ".github/workflows/publish.yml", ERB.new(publish_yml, trim_mode: "-").result(binding))
 
         unless args.no_git?
           cd tap.path do |path|