From d63e7c1c45bf1e643b8f5367dd49b8be086233e0 Mon Sep 17 00:00:00 2001 From: Alex Fishlock Date: Mon, 27 Apr 2026 11:47:11 +0200 Subject: [PATCH] ci(release): skip homebrew-tap publish on forks (#1687) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The release job uses GoReleaser to bump the formula in multica-ai/homebrew-tap. Forks don't have HOMEBREW_TAP_GITHUB_TOKEN and should not publish to that tap, so the job currently fails on every fork tag push (401 Bad credentials against the upstream tap). This makes the workflow red on downstream forks even though the actual artifact pipeline (verify → docker-backend-build → docker-backend-merge) succeeds and produces a usable image. Gate the release job on `github.repository_owner == 'multica-ai'`. Upstream behaviour unchanged. Forks now see a clean green run for docker artifacts only. --- .github/workflows/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8eaa5959b..b75c47bfb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,6 +56,12 @@ jobs: release: needs: verify + # Only run on the canonical upstream repo. Forks don't have the + # HOMEBREW_TAP_GITHUB_TOKEN secret and should not be publishing to + # `multica-ai/homebrew-tap` anyway. Without this guard, every fork's + # tag push fails this job (401 against the upstream tap), which makes + # downstream CI go red without affecting the actual artifact pipeline. + if: github.repository_owner == 'multica-ai' runs-on: ubuntu-latest steps: - name: Checkout