packaging: harden macOS brew install against pydantic-core dylib regression#219
Merged
github-actions[bot] merged 2 commits intomainfrom Apr 19, 2026
Merged
Conversation
`notify-tap` validates the GitHub Release title against `fusionAIze Gate vX.Y.Z`. Some `gh` versions default the title to just the tag name when only `--notes-from-tag` is given, which silently breaks the Homebrew tap dispatch — v2.3.0 hit this twice today. - RELEASES.md and docs/PUBLISHING.md now explicitly call out the `--title "fusionAIze Gate vX.Y.Z"` flag and document that a `gh release edit --title` after the fact will re-trigger the workflow. - scripts/faigate-release surfaces the full `gh release create` command in its next-steps output, with a test that locks in the convention. - .github/workflows/notify-tap.yml now also runs on `release: edited`, so a title fix unblocks the dispatch without delete + recreate. - .github/RELEASE_TEMPLATE.md adds the title shape to the checklist. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…b regression
The v1.2.2 hardening ("pydantic-core from source with explicit header
padding") was silently lost when the tap formula switched to
`pip install --prefer-binary` to skip the 3-5 min cargo build. As of
v2.3.0 the prebuilt pydantic-core wheel is still linked without enough
Mach-O headerpad, so `brew upgrade fusionaize/tap/faigate` prints
`Failed changing dylib ID ... needs to be relinked, possibly with
-headerpad_max_install_names` on every install. Runtime startup
happens to work, which masked the regression.
This commit lands recurrence-prevention in the source repo (the actual
formula fix is a separate PR in fusionAIze/homebrew-tap):
- Formula/faigate.rb is rewritten as a v2.3.0-current "golden reference"
with a banner clarifying the tap is canonical, plus inline comments
explaining exactly why `PIP_NO_BINARY=pydantic-core,watchfiles` and
the headerpad linker flags must not be removed.
- docs/PUBLISHING.md gains a "macOS packaging guard" section documenting
the failure mode, the known-good shape, and the rule "do not drop
PIP_NO_BINARY or add --prefer-binary".
- .github/RELEASE_TEMPLATE.md adds a checklist line requiring an
end-to-end `brew upgrade` smoke run with zero linkage-audit errors
before any release is announced.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pydantic-corefrom source with explicit header padding") was silently lost when the tap formula switched topip install --prefer-binaryto skip the 3–5 min cargo build. As of v2.3.0 the prebuiltpydantic-corewheel is still linked without enough Mach-O headerpad, sobrew upgrade fusionaize/tap/faigateprintsFailed changing dylib ID ... needs to be relinked, possibly with -headerpad_max_install_nameson every install. Runtime startup happens to work, which masked the regression.fusionAIze/homebrew-tap.Formula/faigate.rbis rewritten as a v2.3.0-current "golden reference" with a banner clarifying the tap is canonical, plus inline comments explaining exactly whyPIP_NO_BINARY=pydantic-core,watchfilesand the headerpad linker flags must not be removed.docs/PUBLISHING.mdgains a "macOS packaging guard" section documenting the failure mode, the known-good shape, and the rule "do not dropPIP_NO_BINARYor add--prefer-binary"..github/RELEASE_TEMPLATE.mdadds a checklist line requiring an end-to-endbrew upgradesmoke run with zero linkage-audit errors before any release is announced.Test plan
pytest tests/test_release_scripts.py(all 6 pass —Formula/faigate.rbexclusion in next-steps still holds)brew upgrade fusionaize/tap/faigateon macOS arm64 prints zeroFailed changing dylib ID/Failed to fix install linkagelines, andfaigate --versionreportsv2.3.xv2.3.1once the tap fix is verified, with a CHANGELOG note: "packaging: restore pydantic-core source-build hardening on Homebrew (regression from v1.2.2 fix)"Notes for reviewers
The Formula in this repo is intentionally kept (not deleted) as a defense-in-depth golden reference. The banner makes it clear it is not the install path. Deleting it would remove the easiest place for a future PR reviewer to spot when someone proposes regressing the hardening again.
🤖 Generated with Claude Code