From bc8b721b7e142bf262f5b61fe5e710e901eb477a Mon Sep 17 00:00:00 2001
From: Rui Chen <rui@chenrui.dev>
Date: Sun, 22 Feb 2026 11:50:43 -0500
Subject: [PATCH] ci: remove Homebrew core publishing flow

Remove the manual Homebrew-core publishing workflow and related docs references.

Signed-off-by: Rui Chen <rui@chenrui.dev>
---
 .github/workflows/main-branch-flow.md   |   9 +-
 .github/workflows/pub-homebrew-core.yml | 221 ------------------------
 docs/ci-map.md                          |  17 +-
 docs/release-process.md                 |  21 ---
 4 files changed, 7 insertions(+), 261 deletions(-)
 delete mode 100644 .github/workflows/pub-homebrew-core.yml

diff --git a/.github/workflows/main-branch-flow.md b/.github/workflows/main-branch-flow.md
index f34ca38f5..9299f46e4 100644
--- a/.github/workflows/main-branch-flow.md
+++ b/.github/workflows/main-branch-flow.md
@@ -16,7 +16,7 @@ Use this with:
 | PR activity (`pull_request`) | `ci-run.yml`, `sec-audit.yml`, `main-promotion-gate.yml` (for `main` PRs), plus path-scoped workflows |
 | Push to `dev`/`main` | `ci-run.yml`, `sec-audit.yml`, plus path-scoped workflows |
 | Tag push (`v*`) | `pub-release.yml` publish mode, `pub-docker-img.yml` publish job |
-| Scheduled/manual | `pub-release.yml` verification mode, `pub-homebrew-core.yml` (manual), `sec-codeql.yml`, `feature-matrix.yml`, `test-fuzz.yml`, `pr-check-stale.yml`, `pr-check-status.yml`, `sync-contributors.yml`, `test-benchmarks.yml`, `test-e2e.yml` |
+| Scheduled/manual | `pub-release.yml` verification mode, `sec-codeql.yml`, `feature-matrix.yml`, `test-fuzz.yml`, `pr-check-stale.yml`, `pr-check-status.yml`, `sync-contributors.yml`, `test-benchmarks.yml`, `test-e2e.yml` |
 
 ## Runtime and Docker Matrix
 
@@ -34,7 +34,6 @@ Observed averages below are from recent completed runs (sampled from GitHub Acti
 | `pub-docker-img.yml` (`pull_request`) | Docker build-input PR changes | 240.4s | Yes | Yes | No |
 | `pub-docker-img.yml` (`push`) | tag push `v*` | 139.9s | Yes | No | Yes |
 | `pub-release.yml` | Tag push `v*` (publish) + manual/scheduled verification (no publish) | N/A in recent sample | No | No | No |
-| `pub-homebrew-core.yml` | Manual workflow dispatch only | N/A in recent sample | No | No | No |
 
 Notes:
 
@@ -174,12 +173,6 @@ Workflow: `.github/workflows/pub-release.yml`
 5. In publish mode, workflow generates SBOM (`CycloneDX` + `SPDX`), `SHA256SUMS`, keyless cosign signatures, and verifies GHCR release-tag availability.
 6. In publish mode, workflow creates/updates the GitHub Release for the resolved tag and commit-ish.
 
-Manual Homebrew formula flow:
-
-1. Run `.github/workflows/pub-homebrew-core.yml` with `release_tag=vX.Y.Z`.
-2. Use `dry_run=true` first to validate formula patch and metadata.
-3. Use `dry_run=false` to push from bot fork and open `homebrew-core` PR.
-
 ## Merge/Policy Notes
 
 1. Workflow-file changes (`.github/workflows/**`) activate owner-approval gate in `ci-run.yml`.
diff --git a/.github/workflows/pub-homebrew-core.yml b/.github/workflows/pub-homebrew-core.yml
deleted file mode 100644
index ec7eb2209..000000000
--- a/.github/workflows/pub-homebrew-core.yml
+++ /dev/null
@@ -1,221 +0,0 @@
-name: Pub Homebrew Core
-
-on:
-    workflow_dispatch:
-        inputs:
-            release_tag:
-                description: "Existing release tag to publish (vX.Y.Z)"
-                required: true
-                type: string
-            dry_run:
-                description: "Patch formula only (no push/PR)"
-                required: false
-                default: true
-                type: boolean
-
-concurrency:
-    group: homebrew-core-${{ github.run_id }}
-    cancel-in-progress: false
-
-permissions:
-    contents: read
-
-jobs:
-    publish-homebrew-core:
-        name: Publish Homebrew Core PR
-        runs-on: blacksmith-2vcpu-ubuntu-2404
-        env:
-            UPSTREAM_REPO: Homebrew/homebrew-core
-            FORMULA_PATH: Formula/z/zeroclaw.rb
-            RELEASE_TAG: ${{ inputs.release_tag }}
-            DRY_RUN: ${{ inputs.dry_run }}
-            BOT_FORK_REPO: ${{ vars.HOMEBREW_CORE_BOT_FORK_REPO }}
-            BOT_EMAIL: ${{ vars.HOMEBREW_CORE_BOT_EMAIL }}
-        steps:
-            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-              with:
-                  fetch-depth: 0
-
-            - name: Validate release tag and version alignment
-              id: release_meta
-              shell: bash
-              run: |
-                  set -euo pipefail
-
-                  semver_pattern='^v[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$'
-                  if [[ ! "$RELEASE_TAG" =~ $semver_pattern ]]; then
-                    echo "::error::release_tag must match semver-like format (vX.Y.Z[-suffix])."
-                    exit 1
-                  fi
-
-                  if ! git rev-parse "refs/tags/${RELEASE_TAG}" >/dev/null 2>&1; then
-                    git fetch --tags origin
-                  fi
-
-                  tag_version="${RELEASE_TAG#v}"
-                  cargo_version="$(git show "${RELEASE_TAG}:Cargo.toml" | sed -n 's/^version = "\([^"]*\)"/\1/p' | head -n1)"
-                  if [[ -z "$cargo_version" ]]; then
-                    echo "::error::Unable to read Cargo.toml version from tag ${RELEASE_TAG}."
-                    exit 1
-                  fi
-                  if [[ "$cargo_version" != "$tag_version" ]]; then
-                    echo "::error::Tag ${RELEASE_TAG} does not match Cargo.toml version (${cargo_version})."
-                    echo "::error::Bump Cargo.toml first, then publish Homebrew."
-                    exit 1
-                  fi
-
-                  tarball_url="https://github.com/${GITHUB_REPOSITORY}/archive/refs/tags/${RELEASE_TAG}.tar.gz"
-                  tarball_sha="$(curl -fsSL "$tarball_url" | sha256sum | awk '{print $1}')"
-
-                  {
-                    echo "tag_version=$tag_version"
-                    echo "tarball_url=$tarball_url"
-                    echo "tarball_sha=$tarball_sha"
-                  } >> "$GITHUB_OUTPUT"
-
-                  {
-                    echo "### Release Metadata"
-                    echo "- release_tag: ${RELEASE_TAG}"
-                    echo "- cargo_version: ${cargo_version}"
-                    echo "- tarball_sha256: ${tarball_sha}"
-                    echo "- dry_run: ${DRY_RUN}"
-                  } >> "$GITHUB_STEP_SUMMARY"
-
-            - name: Patch Homebrew formula
-              id: patch_formula
-              shell: bash
-              env:
-                  HOMEBREW_CORE_BOT_TOKEN: ${{ secrets.HOMEBREW_UPSTREAM_PR_TOKEN || secrets.HOMEBREW_CORE_BOT_TOKEN }}
-                  GH_TOKEN: ${{ secrets.HOMEBREW_UPSTREAM_PR_TOKEN || secrets.HOMEBREW_CORE_BOT_TOKEN }}
-              run: |
-                  set -euo pipefail
-
-                  tmp_repo="$(mktemp -d)"
-                  echo "tmp_repo=$tmp_repo" >> "$GITHUB_OUTPUT"
-
-                  if [[ "$DRY_RUN" == "true" ]]; then
-                    git clone --depth=1 "https://github.com/${UPSTREAM_REPO}.git" "$tmp_repo/homebrew-core"
-                  else
-                    if [[ -z "${BOT_FORK_REPO}" ]]; then
-                      echo "::error::Repository variable HOMEBREW_CORE_BOT_FORK_REPO is required when dry_run=false."
-                      exit 1
-                    fi
-                    if [[ -z "${HOMEBREW_CORE_BOT_TOKEN}" ]]; then
-                      echo "::error::Repository secret HOMEBREW_CORE_BOT_TOKEN is required when dry_run=false."
-                      exit 1
-                    fi
-                    if [[ "$BOT_FORK_REPO" != */* ]]; then
-                      echo "::error::HOMEBREW_CORE_BOT_FORK_REPO must be in owner/repo format."
-                      exit 1
-                    fi
-                    if ! command -v gh >/dev/null 2>&1; then
-                      echo "::error::gh CLI is required on the runner."
-                      exit 1
-                    fi
-                    if [[ -z "${GH_TOKEN:-}" ]]; then
-                      echo "::error::Repository secret HOMEBREW_CORE_BOT_TOKEN is missing."
-                      exit 1
-                    fi
-                    if ! gh api "repos/${BOT_FORK_REPO}" >/dev/null 2>&1; then
-                      echo "::error::HOMEBREW_CORE_BOT_TOKEN cannot access ${BOT_FORK_REPO}."
-                      exit 1
-                    fi
-                    gh repo clone "${BOT_FORK_REPO}" "$tmp_repo/homebrew-core" -- --depth=1
-                  fi
-
-                  repo_dir="$tmp_repo/homebrew-core"
-                  formula_file="$repo_dir/$FORMULA_PATH"
-                  if [[ ! -f "$formula_file" ]]; then
-                    echo "::error::Formula file not found: $FORMULA_PATH"
-                    exit 1
-                  fi
-
-                  if [[ "$DRY_RUN" == "false" ]]; then
-                    if git -C "$repo_dir" remote get-url upstream >/dev/null 2>&1; then
-                      git -C "$repo_dir" remote set-url upstream "https://github.com/${UPSTREAM_REPO}.git"
-                    else
-                      git -C "$repo_dir" remote add upstream "https://github.com/${UPSTREAM_REPO}.git"
-                    fi
-                    if git -C "$repo_dir" ls-remote --exit-code --heads upstream main >/dev/null 2>&1; then
-                      upstream_ref="main"
-                    else
-                      upstream_ref="master"
-                    fi
-                    git -C "$repo_dir" fetch --depth=1 upstream "$upstream_ref"
-                    branch_name="zeroclaw-${RELEASE_TAG}-${GITHUB_RUN_ID}"
-                    git -C "$repo_dir" checkout -B "$branch_name" "upstream/$upstream_ref"
-                    echo "branch_name=$branch_name" >> "$GITHUB_OUTPUT"
-                  fi
-
-                  tarball_url="${{ steps.release_meta.outputs.tarball_url }}"
-                  tarball_sha="${{ steps.release_meta.outputs.tarball_sha }}"
-
-                  perl -0pi -e "s|^  url \".*\"|  url \"${tarball_url}\"|m" "$formula_file"
-                  perl -0pi -e "s|^  sha256 \".*\"|  sha256 \"${tarball_sha}\"|m" "$formula_file"
-                  perl -0pi -e "s|^  license \".*\"|  license \"Apache-2.0 OR MIT\"|m" "$formula_file"
-                  perl -0pi -e 's|^  head "https://github\.com/zeroclaw-labs/zeroclaw\.git".*|  head "https://github.com/zeroclaw-labs/zeroclaw.git"|m' "$formula_file"
-
-                  git -C "$repo_dir" diff -- "$FORMULA_PATH" > "$tmp_repo/formula.diff"
-                  if [[ ! -s "$tmp_repo/formula.diff" ]]; then
-                    echo "::error::No formula changes generated. Nothing to publish."
-                    exit 1
-                  fi
-
-                  {
-                    echo "### Formula Diff"
-                    echo '```diff'
-                    cat "$tmp_repo/formula.diff"
-                    echo '```'
-                  } >> "$GITHUB_STEP_SUMMARY"
-
-            - name: Push branch and open Homebrew PR
-              if: ${{ inputs.dry_run == false }}
-              shell: bash
-              env:
-                  GH_TOKEN: ${{ secrets.HOMEBREW_UPSTREAM_PR_TOKEN || secrets.HOMEBREW_CORE_BOT_TOKEN }}
-              run: |
-                  set -euo pipefail
-
-                  repo_dir="${{ steps.patch_formula.outputs.tmp_repo }}/homebrew-core"
-                  branch_name="${{ steps.patch_formula.outputs.branch_name }}"
-                  tag_version="${{ steps.release_meta.outputs.tag_version }}"
-                  fork_owner="${BOT_FORK_REPO%%/*}"
-                  bot_email="${BOT_EMAIL:-${fork_owner}@users.noreply.github.com}"
-
-                  git -C "$repo_dir" config user.name "$fork_owner"
-                  git -C "$repo_dir" config user.email "$bot_email"
-                  git -C "$repo_dir" add "$FORMULA_PATH"
-                  git -C "$repo_dir" commit -m "zeroclaw ${tag_version}"
-                  if [[ -z "${GH_TOKEN:-}" ]]; then
-                    echo "::error::Repository secret HOMEBREW_CORE_BOT_TOKEN is missing."
-                    exit 1
-                  fi
-                  gh auth setup-git
-                  git -C "$repo_dir" push --set-upstream origin "$branch_name"
-
-                  pr_title="zeroclaw ${tag_version}"
-                  pr_body=$(cat <<EOF
-                  Automated formula bump from ZeroClaw release workflow.
-
-                  - Release tag: ${RELEASE_TAG}
-                  - Source tarball: ${{ steps.release_meta.outputs.tarball_url }}
-                  - Source sha256: ${{ steps.release_meta.outputs.tarball_sha }}
-                  EOF
-                  )
-
-                  gh pr create \
-                    --repo "$UPSTREAM_REPO" \
-                    --base main \
-                    --head "${fork_owner}:${branch_name}" \
-                    --title "$pr_title" \
-                    --body "$pr_body"
-
-            - name: Summary output
-              shell: bash
-              run: |
-                  set -euo pipefail
-                  if [[ "$DRY_RUN" == "true" ]]; then
-                    echo "Dry run complete: formula diff generated, no push/PR performed."
-                  else
-                    echo "Publish complete: branch pushed and PR opened from bot fork."
-                  fi
diff --git a/docs/ci-map.md b/docs/ci-map.md
index 569f9d26a..89b0d8519 100644
--- a/docs/ci-map.md
+++ b/docs/ci-map.md
@@ -37,9 +37,6 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
     - Noise control: excludes common test/fixture paths and test file patterns by default (`include_tests=false`)
 - `.github/workflows/pub-release.yml` (`Release`)
     - Purpose: build release artifacts in verification mode (manual/scheduled) and publish GitHub releases on tag push or manual publish mode
-- `.github/workflows/pub-homebrew-core.yml` (`Pub Homebrew Core`)
-    - Purpose: manual, bot-owned Homebrew core formula bump PR flow for tagged releases
-    - Guardrail: release tag must match `Cargo.toml` version
 - `.github/workflows/pr-label-policy-check.yml` (`Label Policy Sanity`)
     - Purpose: validate shared contributor-tier policy in `.github/label-policy.json` and ensure label workflows consume that policy
 - `.github/workflows/test-rust-build.yml` (`Rust Reusable Job`)
@@ -77,7 +74,6 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
 - `CI`: push to `dev` and `main`, PRs to `dev` and `main`
 - `Docker`: tag push (`v*`) for publish, matching PRs to `dev`/`main` for smoke build, manual dispatch for smoke only
 - `Release`: tag push (`v*`), weekly schedule (verification-only), manual dispatch (verification or publish)
-- `Pub Homebrew Core`: manual dispatch only
 - `Security Audit`: push to `dev` and `main`, PRs to `dev` and `main`, weekly schedule
 - `Sec Vorpal Reviewdog`: manual dispatch only
 - `Workflow Sanity`: PR/push when `.github/workflows/**`, `.github/*.yml`, or `.github/*.yaml` change
@@ -95,13 +91,12 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
 1. `CI Required Gate` failing: start with `.github/workflows/ci-run.yml`.
 2. Docker failures on PRs: inspect `.github/workflows/pub-docker-img.yml` `pr-smoke` job.
 3. Release failures (tag/manual/scheduled): inspect `.github/workflows/pub-release.yml` and the `prepare` job outputs.
-4. Homebrew formula publish failures: inspect `.github/workflows/pub-homebrew-core.yml` summary output and bot token/fork variables.
-5. Security failures: inspect `.github/workflows/sec-audit.yml` and `deny.toml`.
-6. Workflow syntax/lint failures: inspect `.github/workflows/workflow-sanity.yml`.
-7. PR intake failures: inspect `.github/workflows/pr-intake-checks.yml` sticky comment and run logs.
-8. Label policy parity failures: inspect `.github/workflows/pr-label-policy-check.yml`.
-9. Docs failures in CI: inspect `docs-quality` job logs in `.github/workflows/ci-run.yml`.
-10. Strict delta lint failures in CI: inspect `lint-strict-delta` job logs and compare with `BASE_SHA` diff scope.
+4. Security failures: inspect `.github/workflows/sec-audit.yml` and `deny.toml`.
+5. Workflow syntax/lint failures: inspect `.github/workflows/workflow-sanity.yml`.
+6. PR intake failures: inspect `.github/workflows/pr-intake-checks.yml` sticky comment and run logs.
+7. Label policy parity failures: inspect `.github/workflows/pr-label-policy-check.yml`.
+8. Docs failures in CI: inspect `docs-quality` job logs in `.github/workflows/ci-run.yml`.
+9. Strict delta lint failures in CI: inspect `lint-strict-delta` job logs and compare with `BASE_SHA` diff scope.
 
 ## Maintenance Rules
 
diff --git a/docs/release-process.md b/docs/release-process.md
index 905e918d8..2fad5d818 100644
--- a/docs/release-process.md
+++ b/docs/release-process.md
@@ -22,7 +22,6 @@ Last verified: **February 21, 2026**.
 Release automation lives in:
 
 - `.github/workflows/pub-release.yml`
-- `.github/workflows/pub-homebrew-core.yml` (manual Homebrew formula PR, bot-owned)
 
 Modes:
 
@@ -95,26 +94,6 @@ Expected publish outputs:
 2. Verify GHCR tags for the released version (`vX.Y.Z`) and release commit SHA tag (`sha-<12>`).
 3. Verify install paths that rely on release assets (for example bootstrap binary download).
 
-### 6) Publish Homebrew Core formula (bot-owned)
-
-Run `Pub Homebrew Core` manually:
-
-- `release_tag`: `vX.Y.Z`
-- `dry_run`: `true` first, then `false`
-
-Required repository settings for non-dry-run:
-
-- secret: `HOMEBREW_CORE_BOT_TOKEN` (token from a dedicated bot account, not a personal maintainer account)
-- variable: `HOMEBREW_CORE_BOT_FORK_REPO` (for example `zeroclaw-release-bot/homebrew-core`)
-- optional variable: `HOMEBREW_CORE_BOT_EMAIL`
-
-Workflow guardrails:
-
-- release tag must match `Cargo.toml` version
-- formula source URL and SHA256 are updated from the tagged tarball
-- formula license is normalized to `Apache-2.0 OR MIT`
-- PR is opened from the bot fork into `Homebrew/homebrew-core:master`
-
 ## Emergency / Recovery Path
 
 If tag-push release fails after artifacts are validated: