🌐 US-Proxy
class="logged-out env-production page-responsive" style="word-wrap: break-word;" >
Skip to content

Allow tap trust in build sandbox#22751

Merged
MikeMcQuaid merged 1 commit into
mainfrom
fix-tap-trust-build-sandbox
Jun 15, 2026
Merged

Allow tap trust in build sandbox#22751
MikeMcQuaid merged 1 commit into
mainfrom
fix-tap-trust-build-sandbox

Conversation

@MikeMcQuaid

@MikeMcQuaid MikeMcQuaid commented Jun 15, 2026

Copy link
Copy Markdown
Member

Fixes #22748

  • Keep trust.json readable during sandboxed formula builds.
  • Avoid trusted tapped formulae failing when build.rb reloads them.
  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
  • Have you written new tests (excluding integration tests) for your changes? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?
  • AI was used to generate or assist with generating this PR.

OpenAI Codex 5.5 xhigh with local review and testing.

Copilot AI review requested due to automatic review settings June 15, 2026 16:37
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes sandboxed formula builds failing under tap trust enforcement by ensuring the tap trust store (trust.json) remains readable inside the build sandbox, so build.rb can re-check trust when it reloads tapped formulae.

Changes:

  • Update FormulaInstaller#build to allow the sandboxed build process to read Homebrew::Trust.trust_file when tap trust is required.
  • Extend the FormulaInstaller#build sandbox unit test to assert both the local formula path and the trust file path are exposed to the sandbox.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
Library/Homebrew/formula_installer.rb Allows the build sandbox to read trust.json when tap trust is enforced, preventing reload failures in build.rb.
Library/Homebrew/test/formula_installer_spec.rb Adds/updates a spec to validate the sandbox receives allow_read_if_exists for both the formula path and the trust store path.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MikeMcQuaid MikeMcQuaid mentioned this pull request Jun 15, 2026
Closed
3 tasks
@MikeMcQuaid
Allow tap trust in build sandbox
fea2e08 
- Keep `trust.json` readable during sandboxed formula builds.
- Avoid trusted tapped formulae failing when `build.rb` reloads them.
- Preserve Linux setup errors when tests mock `system` failures.
@MikeMcQuaid MikeMcQuaid force-pushed the fix-tap-trust-build-sandbox branch from 868a046 to fea2e08 Compare June 15, 2026 18:06
@MikeMcQuaid MikeMcQuaid enabled auto-merge June 15, 2026 18:11
@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Jun 15, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 15, 2026
@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Jun 15, 2026
Merged via the queue into main with commit 0d707cb Jun 15, 2026
41 checks passed
@MikeMcQuaid MikeMcQuaid deleted the fix-tap-trust-build-sandbox branch June 15, 2026 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@p-linnane p-linnane p-linnane approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

brew install fails for tapped formulae

3 participants

@MikeMcQuaid @p-linnane