From a4c40580f72817c2faf82fbc88b5c9f2fcfaef83 Mon Sep 17 00:00:00 2001
From: lukeocodes <luke@lukeoliff.com>
Date: Sat, 2 May 2026 12:23:07 +0100
Subject: [PATCH 1/2] ci: add manual sync-brew-formula workflow

Manual escape hatch for when the auto-bump-on-release path can't fire
(e.g. no root v* release was cut but we need the live tap formula
patched immediately to unblock 'brew install').

Uses the existing CLI_TAP_SYNC_PAT secret to push directly to
deepgram/homebrew-tap. Idempotent: skips if rust dep already present.
Aborts safely if the formula has been hand-edited (marker text not
found or duplicated).

Triggered immediately to ship the rust + pkgconf fix for the
cryptography / pydantic_core source-build failure currently breaking
'brew install deepgram/tap/deepgram'.
---
 .github/workflows/sync-brew-formula.yml | 102 ++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 .github/workflows/sync-brew-formula.yml

diff --git a/.github/workflows/sync-brew-formula.yml b/.github/workflows/sync-brew-formula.yml
new file mode 100644
index 0000000..07a0545
--- /dev/null
+++ b/.github/workflows/sync-brew-formula.yml
@@ -0,0 +1,102 @@
+name: Sync Homebrew Formula
+
+# Manual sync of deepgram/homebrew-tap/Formula/deepgram.rb when the auto-bump
+# path didn't fire (e.g. no root v* release was cut, but we still need the
+# live formula updated — typically to ship a build-time deps fix that breaks
+# `brew install` for users right now).
+#
+# This is the manual escape hatch. The standard flow is:
+#   release-please opens a release PR -> merging it cuts a tag ->
+#   the bump-brew-formula job in release.yml regenerates and PRs the formula.
+# Use this workflow only when that flow can't be used.
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  sync:
+    name: Sync formula to deepgram/homebrew-tap
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout deepgram/homebrew-tap
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          repository: deepgram/homebrew-tap
+          token: ${{ secrets.CLI_TAP_SYNC_PAT }}
+          path: tap
+
+      - name: Apply rust + pkgconf build deps (idempotent)
+        working-directory: tap
+        run: |
+          set -euo pipefail
+
+          if grep -q 'depends_on "rust" => :build' Formula/deepgram.rb; then
+            echo "Formula already has rust build dep; nothing to do"
+            exit 0
+          fi
+
+          # Insert the build-time deps before the existing ffmpeg comment block.
+          # Hardcoded patch (not template-driven) because this workflow runs in
+          # situations where the template change has not yet shipped.
+          python3 - <<'PY'
+          path = "Formula/deepgram.rb"
+          content = open(path).read()
+          insert = (
+              '  # Build-time deps for the `cryptography` and `pydantic_core` resources,\n'
+              '  # which compile Rust extensions via `maturin`. Language::Python::Virtualenv\n'
+              '  # defaults to --no-binary :all: so precompiled wheels are bypassed and the\n'
+              '  # Rust toolchain has to be available during install.\n'
+              '  depends_on "pkgconf" => :build\n'
+              '  depends_on "rust" => :build\n'
+              '\n'
+          )
+          marker = "  # Used by `dg debug probe`"
+          if marker not in content:
+              raise SystemExit(
+                  f"Could not find expected marker {marker!r} in formula; "
+                  "tap formula may have been hand-edited. Inspect manually."
+              )
+          if content.count(marker) != 1:
+              raise SystemExit(
+                  f"Marker {marker!r} appears multiple times; refusing to patch ambiguously."
+              )
+          open(path, "w").write(content.replace(marker, insert + marker, 1))
+          print("Patched formula with rust + pkgconf build deps")
+          PY
+
+      - name: Commit and push if changed
+        working-directory: tap
+        env:
+          GH_TOKEN: ${{ secrets.CLI_TAP_SYNC_PAT }}
+        run: |
+          set -euo pipefail
+
+          if git diff --quiet -- Formula/deepgram.rb; then
+            echo "No changes to commit; formula is already up to date"
+            exit 0
+          fi
+
+          # Attribute the commit to whoever owns CLI_TAP_SYNC_PAT so the change
+          # has a clear, linkable author. Same pattern as bump-brew-formula in
+          # release.yml — we want the credential owner, not ${{ github.actor }}
+          # (which would attribute to whoever clicked Run workflow).
+          PAT_LOGIN=$(gh api /user --jq .login)
+          PAT_ID=$(gh api /user --jq .id)
+          git config user.name  "${PAT_LOGIN}"
+          git config user.email "${PAT_ID}+${PAT_LOGIN}@users.noreply.github.com"
+
+          git add Formula/deepgram.rb
+          git commit -m "Add rust + pkgconf as build-time deps for cryptography and pydantic_core
+
+Manual sync from deepgram/cli's sync-brew-formula workflow. Fixes
+'brew install deepgram/tap/deepgram' failing during cryptography and
+pydantic_core source builds: both compile Rust extensions via maturin,
+and Language::Python::Virtualenv defaults to --no-binary :all: so the
+precompiled wheels are bypassed and the Rust toolchain has to be
+available during install.
+
+Same pattern homebrew-core's Aider, ansible, azure-cli use."
+          git push

From 2d5d605362caf4d1884201276fcb7bfa0e0cfc5d Mon Sep 17 00:00:00 2001
From: lukeocodes <luke@lukeoliff.com>
Date: Sat, 2 May 2026 12:23:47 +0100
Subject: [PATCH 2/2] ci: fix YAML scoping in sync-brew-formula commit message

---
 .github/workflows/sync-brew-formula.yml | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/sync-brew-formula.yml b/.github/workflows/sync-brew-formula.yml
index 07a0545..029bf0e 100644
--- a/.github/workflows/sync-brew-formula.yml
+++ b/.github/workflows/sync-brew-formula.yml
@@ -88,15 +88,21 @@ jobs:
           git config user.name  "${PAT_LOGIN}"
           git config user.email "${PAT_ID}+${PAT_LOGIN}@users.noreply.github.com"
 
-          git add Formula/deepgram.rb
-          git commit -m "Add rust + pkgconf as build-time deps for cryptography and pydantic_core
+          MSG_FILE="$(mktemp)"
+          cat > "${MSG_FILE}" <<'EOF'
+          Add rust + pkgconf as build-time deps for cryptography and pydantic_core
+
+          Manual sync from deepgram/cli's sync-brew-formula workflow. Fixes
+          'brew install deepgram/tap/deepgram' failing during cryptography and
+          pydantic_core source builds: both compile Rust extensions via maturin,
+          and Language::Python::Virtualenv defaults to --no-binary :all: so the
+          precompiled wheels are bypassed and the Rust toolchain has to be
+          available during install.
 
-Manual sync from deepgram/cli's sync-brew-formula workflow. Fixes
-'brew install deepgram/tap/deepgram' failing during cryptography and
-pydantic_core source builds: both compile Rust extensions via maturin,
-and Language::Python::Virtualenv defaults to --no-binary :all: so the
-precompiled wheels are bypassed and the Rust toolchain has to be
-available during install.
+          Same pattern homebrew-core's Aider, ansible, azure-cli use.
+          EOF
 
-Same pattern homebrew-core's Aider, ansible, azure-cli use."
+          git add Formula/deepgram.rb
+          git commit -F "${MSG_FILE}"
           git push
+          rm -f "${MSG_FILE}"