.github/workflows/build-and-test.yaml (3)

103-103: Trim trailing whitespace (YAMLlint error)

There’s trailing whitespace on this blank line, which YAMLlint flags.

Apply:

- 
+

---

160-171: Brew dependency install looks fine; consider guarding for CI flakiness

brew install unixodbc is reasonable. If you see intermittent failures, consider brew update before install or caching Homebrew downloads. Optional.

---

144-205: Overall: solid cross-platform expansion; consider deduplication via a matrix over os

You duplicated most steps between Windows and macOS. Consider a single job with an os+python-version matrix and conditional steps for OS-specific bits (PowerShell vs Bash, brew vs none). This reduces drift.

If you want, I can draft a reusable-workflow or a single-job matrix variant that keeps the PyInstaller args DRY.

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

.github/workflows/build-and-test.yaml (1)

95-99: Update setup-python to v5 on Windows (runner compatibility; actionlint error).

actions/setup-python@v4 is flagged as too old on current runners. Move to @v5 to avoid breakage and unlock caching inputs.

- - name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v4
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v5
 with:
 python-version: ${{ matrix.python-version }}

.github/workflows/build-and-test.yaml (4)

128-144: Harden PowerShell steps to fail fast.

Set strict error preferences so non-terminating errors fail the job immediately. Minor reliability improvement.

 - name: Run tests
 shell: powershell
 env:
 OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
 run: |
+ $ErrorActionPreference = 'Stop'
+ $PSNativeCommandUseErrorActionPreference = $true
 poetry run pytest -m "not llm"
 
 - name: Test the binary
 shell: powershell
 run: |
+ $ErrorActionPreference = 'Stop'
+ $PSNativeCommandUseErrorActionPreference = $true
 & "dist\holmes\holmes.exe" version
 if ($LASTEXITCODE -ne 0) {
 Write-Host "Binary test failed"
 exit 1
 }
 Write-Host "Binary test passed"

---

33-38: Modernize Linux job actions for consistency (checkout v4, setup-python v5).

Not part of this PR’s OS additions, but aligning versions avoids deprecation issues and enables caching.

- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
@@
- - name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v5
 with:
 python-version: ${{ matrix.python-version }}

---

95-99: Enable pip caching to speed up CI on Windows/macOS (and mirror on Linux).

actions/setup-python@v5 supports a built-in pip cache. This reduces build time significantly across matrix runs.

 - name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v5
+ uses: actions/setup-python@v5
 with:
 python-version: ${{ matrix.python-version }}
+ cache: 'pip'

Mirror the same addition in the Linux job’s setup-python step once it’s bumped to @v5.

Also applies to: 156-160

---

107-108: Make Poetry non-interactive in build jobs.

Use --no-interaction to avoid any accidental prompts and ensure reproducibility.

- poetry install --no-root
+ poetry install --no-interaction --no-root

Apply in both Windows and macOS jobs (and consider doing the same in the Linux job for consistency).

Also applies to: 167-167

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

.github/workflows/build-and-release.yaml (4)

82-87: Verify token scopes and repository permissions for pushing to the tap.

MULTIREPO_GITHUB_TOKEN must have repo:status, repo:write (or equivalent) on robusta-dev/homebrew-holmesgpt. If pushes fail, switch to a fine-scoped PAT and set persist-credentials: true on checkout (v4 defaults to true).

I can provide a minimal permissions matrix and a secret-checklist if needed.

---

92-95: Editing fixed line numbers in the formula is brittle; switch to pattern-based updates.

Line-number coupling will break on any formula formatting change. Prefer targeting the on_macos/on_linux blocks by pattern.

Example using sed with anchors (keeps future diffs readable):

- awk 'NR==6{0ドル=" url \"https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-macos-latest-'"$TAG_NAME"'.zip\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==7{0ドル=" sha256 \"'$MAC_BUILD_HASH'\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==9{0ドル=" url \"https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-ubuntu-22.04-'"$TAG_NAME"'.zip\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==10{0ドル=" sha256 \"'$LINUX_BUILD_HASH'\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
+ sed -i -E "0,/on_macos do/{s#(on_macos do[[:space:][:print:]]*url \").*(\".*)#1円https://github.com/robusta-dev/holmesgpt/releases/download/${TAG_NAME}/holmes-macos-latest-${TAG_NAME}.zip2円#; s#(on_macos do[[:space:][:print:]]*sha256 \").*(\"#1円${MAC_BUILD_HASH}2円#}" ./Formula/holmesgpt.rb
+ sed -i -E "0,/on_linux do/{s#(on_linux do[[:space:][:print:]]*url \").*(\".*)#1円https://github.com/robusta-dev/holmesgpt/releases/download/${TAG_NAME}/holmes-ubuntu-22.04-${TAG_NAME}.zip2円#; s#(on_linux do[[:space:][:print:]]*sha256 \").*(\"#1円${LINUX_BUILD_HASH}2円#}" ./Formula/holmesgpt.rb

If you prefer, I can replace this with a tiny Ruby script that parses and updates the formula AST for maximum robustness.

---

49-53: Sanity-check artifact names to avoid "artifact not found".

Names must exactly match what the reusable build uploads. If the template appends extensions or directories, the download will fail. Consider listing artifacts before download during the run for debugging (optional).

 - name: Download MacOS artifact
 uses: actions/download-artifact@v4
 with:
 name: holmes-macos-latest-${{ github.ref_name }}
 path: .
+ - name: List files (debug)
+ run: ls -lah .
@@
 - name: Download Linux artifact
 uses: actions/download-artifact@v4
 with:
 name: holmes-ubuntu-22.04-${{ github.ref_name }}
 path: .
+ - name: List files (debug)
+ run: ls -lah .

Also applies to: 68-72

---

37-45: Minor: runner pinning consistency.

You pin check-latest to ubuntu-22.04 but hashing to ubuntu-latest. Consider pinning all to the same LTS to reduce surprise upgrades.

Also applies to: 56-64

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

.github/workflows/build-and-release.yaml (5)

3-6: Trigger on published (and optionally prereleased) releases, not created.

As-is, the workflow may run before a release is actually live. Switch to published (and optionally prereleased) and keep workflow_dispatch for manual runs.

 on:
 release:
- types: [ created ]
+ types: [ published, prereleased ]
+ workflow_dispatch:

---

21-28: IS_LATEST output: ensure downstream if: checks compare to the string 'true'.

Job outputs are strings. Using them bare in if: is always truthy. Keep the output as-is, but fix consumers below to compare explicitly.

---

36-54: Fix three issues in mac-hash: truthy if:, outdated checkout@v2, deprecated set-output, and artifact path.

• Compare IS_LATEST to 'true'
• Use actions/checkout@v4
• Write to $GITHUB_OUTPUT (set-output is deprecated)
• Ensure the artifact downloads into the current directory so sha256sum finds the .zip

 mac-hash:
 name: Calculate macOS Hash
 needs: check-latest
 runs-on: ubuntu-latest
- if: needs.check-latest.outputs.IS_LATEST
+ if: needs.check-latest.outputs.IS_LATEST == 'true'
 outputs:
 MAC_BUILD_HASH: ${{ steps.calc-hash.outputs.MAC_BUILD_HASH }}
 steps:
 - name: Checkout Repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
 - name: Download MacOS artifact
 uses: actions/download-artifact@v4
 with:
 name: holmes-macos-latest-${{ github.ref_name }}
+ path: .
 - name: Calculate hash
 id: calc-hash
- run: echo "::set-output name=MAC_BUILD_HASH::$(sha256sum holmes-macos-latest-${{ github.ref_name }}.zip | awk '{print 1ドル}')"
+ run: |
+ echo "MAC_BUILD_HASH=$(sha256sum "holmes-macos-latest-${{ github.ref_name }}.zip" | awk '{print 1ドル}')" >> "$GITHUB_OUTPUT"

---

55-73: Mirror the same fixes in linux-hash.

Apply the IS_LATEST comparison, checkout@v4, artifact path, and GITHUB_OUTPUT changes here too.

 linux-hash:
 name: Calculate Linux Hash
 needs: check-latest
 runs-on: ubuntu-latest
- if: needs.check-latest.outputs.IS_LATEST
+ if: needs.check-latest.outputs.IS_LATEST == 'true'
 outputs:
 LINUX_BUILD_HASH: ${{ steps.calc-hash.outputs.LINUX_BUILD_HASH }}
 steps:
 - name: Checkout Repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
 - name: Download Linux artifact
 uses: actions/download-artifact@v4
 with:
 name: holmes-ubuntu-22.04-${{ github.ref_name }}
+ path: .
 - name: Calculate hash
 id: calc-hash
- run: echo "::set-output name=LINUX_BUILD_HASH::$(sha256sum holmes-ubuntu-22.04-${{ github.ref_name }}.zip | awk '{print 1ドル}')"
+ run: |
+ echo "LINUX_BUILD_HASH=$(sha256sum "holmes-ubuntu-22.04-${{ github.ref_name }}.zip" | awk '{print 1ドル}')" >> "$GITHUB_OUTPUT"

---

74-95: Update Homebrew job: define TAG_NAME once, set minimal permissions, upgrade checkout, and make URL updates less brittle.

• Define TAG_NAME at the job level so later steps (commit) see it.
• Grant only contents: write.
• Use actions/checkout@v4 for the tap repo.
• Replace hardcoded line numbers with regex-driven replacements to reduce breakage on formula edits.

 update-formula:
 name: Update Homebrew Formula
 needs: [ mac-hash, linux-hash ]
 runs-on: ubuntu-latest
 if: ${{ !github.event.release.prerelease }}
+ permissions:
+ contents: write
+ env:
+ TAG_NAME: ${{ github.ref_name }}
 steps:
 - name: Checkout homebrew-holmesgpt repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
 with:
 repository: robusta-dev/homebrew-holmesgpt
 token: ${{ secrets.MULTIREPO_GITHUB_TOKEN }}
 - name: Update holmesgpt.rb formula
 run: |
- MAC_BUILD_HASH=${{ needs.mac-hash.outputs.MAC_BUILD_HASH }}
- LINUX_BUILD_HASH=${{ needs.linux-hash.outputs.LINUX_BUILD_HASH }}
- TAG_NAME=${{ github.ref_name }}
- awk 'NR==6{0ドル=" url \"https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-macos-latest-'"$TAG_NAME"'.zip\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==7{0ドル=" sha256 \"'$MAC_BUILD_HASH'\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==9{0ドル=" url \"https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-ubuntu-22.04-'"$TAG_NAME"'.zip\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==10{0ドル=" sha256 \"'$LINUX_BUILD_HASH'\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
+ MAC_BUILD_HASH='${{ needs.mac-hash.outputs.MAC_BUILD_HASH }}'
+ LINUX_BUILD_HASH='${{ needs.linux-hash.outputs.LINUX_BUILD_HASH }}'
+ # Update macOS URL and sha256
+ sed -i -E \
+ -e "s|^\s*url\s+\"https://github.com/robusta-dev/holmesgpt/releases/download/.*/holmes-macos-latest-.*\.zip\"| url \"https://github.com/robusta-dev/holmesgpt/releases/download/${TAG_NAME}/holmes-macos-latest-${TAG_NAME}.zip\"|" \
+ -e "s|^\s*sha256\s+\"[0-9a-fA-F]{64}\"| sha256 \"${MAC_BUILD_HASH}\"|;t" \
+ ./Formula/holmesgpt.rb
+ # Update Linux URL and sha256 (in the Linux block)
+ sed -i -E \
+ -e "s|^\s*url\s+\"https://github.com/robusta-dev/holmesgpt/releases/download/.*/holmes-ubuntu-22\.04-.*\.zip\"| url \"https://github.com/robusta-dev/holmesgpt/releases/download/${TAG_NAME}/holmes-ubuntu-22.04-${TAG_NAME}.zip\"|" \
+ -e "s|^\s*sha256\s+\"[0-9a-fA-F]{64}\"| sha256 \"${LINUX_BUILD_HASH}\"|;t" \
+ ./Formula/holmesgpt.rb

.github/workflows/build-and-test.yaml (4)

5-5: Consider scoping triggers to reduce unnecessary CI runs.

Optionally restrict push to specific branches or paths to cut CI noise and cost. Example: only run on main and PRs touching relevant directories.

---

15-18: Enable pip caching for faster installs.

actions/setup-python@v5 supports built-in pip cache. Safe to enable alongside Poetry; it speeds up wheel downloads.

 - uses: actions/setup-python@v5
 with:
 python-version: '3.11'
+ cache: 'pip'

---

19-25: Poetry config: drop redundant virtualenvs-path when using in-project.

virtualenvs-in-project: true makes Poetry place the venv at ./.venv and ignores virtualenvs-path. Remove it to avoid confusion; optionally pin a version for reproducibility.

 - name: Install Poetry
 uses: snok/install-poetry@v1
 with:
 virtualenvs-create: true
 virtualenvs-in-project: true
- virtualenvs-path: .venv
 installer-parallel: true
+ # poetry-version: 1.7.1 # optional: pin for reproducibility

---

27-31: Optional: cache Poetry and pre-commit to speed checks.

You can cache ~/.cache/pypoetry and pre-commit’s cache to shave minutes on CI. If wanted, I can provide a ready-to-drop cache step.

.github/workflows/build-and-release.yaml (1)

95-100: Commit step: ensure TAG_NAME is available and quote variables.

With TAG_NAME set at job env, this step works. Consider quoting for safety.

 - name: Commit and push changes
 run: |
 git config --local user.email "action@github.com"
 git config --local user.name "GitHub Action"
- git commit -am "Update formula for release ${TAG_NAME}"
+ git commit -am "Update formula for release ${TAG_NAME}"
 git push

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

.github/workflows/build-template.yaml (9)

56-60: Speed up installs by enabling dependency cache for Poetry

actions/setup-python@v5 supports caching Poetry downloads keyed by poetry.lock. This significantly speeds up CI.

 - name: Set up Python
 uses: actions/setup-python@v5
 with:
- python-version: ${{ matrix.python-version }}
+ python-version: ${{ matrix.python-version }}
+ cache: 'poetry'
+ cache-dependency-path: '**/poetry.lock'

---

91-97: macOS: consider installing gnu-tar when producing .tar.gz assets

The default bsdtar works, but if you rely on GNU-specific flags elsewhere or want consistent behavior across Linux/macOS, install gnu-tar and call it explicitly.

 run: |
- brew install unixodbc
+ brew install unixodbc gnu-tar
 # Add other macOS-specific packages here as needed
 # Example: brew install pkg-config libffi

And adjust packaging step to use gtar if you add it.

---

107-121: Release version bump: guard file existence and strip a leading 'v' tag prefix

• If holmes/__init__.py is absent or the line format differs, sed/PS can silently fail or corrupt.
• Tags often start with v (e.g., v1.2.3). Consider stripping it.

 - name: Update version (Linux)
 if: contains(matrix.os, 'ubuntu') && inputs.is-release
- run: sed -i 's/__version__ = .*/__version__ = "${{ github.ref_name }}"/g' holmes/__init__.py
+ run: |
+ version="${GITHUB_REF_NAME#v}"
+ if [ -f holmes/__init__.py ]; then
+ sed -i "s/__version__ = .*/__version__ = \"${version}\"/g" holmes/__init__.py
+ else
+ echo "holmes/__init__.py not found" >&2; exit 1
+ fi

 - name: Update version (macOS)
 if: matrix.os == 'macos-latest' && inputs.is-release
- run: sed -i '' 's/__version__ = .*/__version__ = "${{ github.ref_name }}"/g' holmes/__init__.py
+ run: |
+ version="${GITHUB_REF_NAME#v}"
+ if [ -f holmes/__init__.py ]; then
+ sed -i '' "s/__version__ = .*/__version__ = \"${version}\"/g" holmes/__init__.py
+ else
+ echo "holmes/__init__.py not found" >&2; exit 1
+ fi

 - name: Update version (Windows)
 if: matrix.os == 'windows-latest' && inputs.is-release
 run: |
- $filePath = 'holmes/__init__.py'
- (Get-Content $filePath) -replace '__version__ = .+', '__version__ = "${{ github.ref_name }}"' | Set-Content $filePath
+ $filePath = 'holmes/__init__.py'
+ $version = $env:GITHUB_REF_NAME -replace '^v',''
+ if (Test-Path $filePath) {
+ (Get-Content $filePath) -replace '__version__ = .+', "__version__ = `"$version`"" | Set-Content $filePath
+ } else {
+ throw "holmes/__init__.py not found"
+ }
 shell: pwsh

To verify tag normalization, please confirm whether your tags include a leading "v" (e.g., v1.2.3). If yes, the above is needed.

---

165-186: Minor: use set -euo pipefail to fail fast in test steps

Instead of manual $? checks or relying on default behavior, enable strict mode. It catches failures earlier and keeps logs concise.

Example for Unix test step:

 run: |
- dist/holmes/holmes version
- if [ $? -ne 0 ]; then
- echo "Binary test failed"
- exit 1
- fi
+ set -euo pipefail
+ dist/holmes/holmes version
 echo "Binary test passed"

---

187-205: Packaging: consider switching macOS tar to gnu-tar if you installed it; otherwise LGTM

If you adopt the earlier gnu-tar suggestion, call gtar here for consistent behavior with Linux. Otherwise, no action needed.

---

206-215: Upload-artifact: avoid warnings when one of the files doesn’t exist

Only one of .tar.gz or .zip will exist per OS. Add if-no-files-found: ignore to keep logs clean.

 uses: actions/upload-artifact@v4
 with:
 name: holmes-${{ matrix.os }}-${{ github.run_number }}
 path: |
 holmes-${{ matrix.os }}-${{ github.run_number }}.tar.gz
 holmes-${{ matrix.os }}-${{ github.run_number }}.zip
 retention-days: 30
+ if-no-files-found: ignore

---

61-69: Security/maintainability: avoid curl | python for Poetry on Unix as well

Piping curl into the interpreter is brittle. Prefer installing Poetry via pip/pipx or using the official setup action.

- curl -sSL https://install.python-poetry.org | python3 - --version ${{ env.POETRY_VERSION }}
+ python -m pip install "poetry==${{ env.POETRY_VERSION }}"

If you keep the installer, at least pin the script via checksum and set set -euo pipefail.

---

123-143: Optional: move PyInstaller options into a .spec file for cross-platform consistency

A .spec file lets you use Tree() to include directories recursively and avoids platform-specific --add-data separators in CLI args.

I can generate a starter holmes.spec with collected datas and hidden imports if you want.

---

206-226: General: consider uploading build artifacts for non-release runs too

Helpful for debugging nightly/PR builds; you can still keep release assets gated to is-release.

- - name: Upload build artifacts
- if: inputs.is-release
+ - name: Upload build artifacts
+ if: always()

If you prefer to keep them only on release, ignore this.

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

.github/workflows/build-template.yaml (6)

81-86: Linux: add patchelf (and optionally upx) for PyInstaller reliability

PyInstaller often needs patchelf to fix ELF RPATHs; upx can shrink binaries.

Apply this diff:

 run: |
 sudo apt-get update
- sudo apt-get install -y binutils
+ sudo apt-get install -y binutils patchelf upx

---

43-43: Job name expression can index out of bounds; simplify the name

The expression dereferences [1] of a possibly single-element array, which will crash expression evaluation when only one Python version is passed.

Apply this diff:

- name: Build (${{ matrix.os }}${{ fromJson(inputs.python-versions-matrix)[0] != fromJson(inputs.python-versions-matrix)[1] && format(', Python {0}', matrix.python-version) || '' }})
+ name: Build (${{ matrix.os }}, Python ${{ matrix.python-version }})

---

71-79: Windows: avoid hard-coded path and python3; ensure Poetry install is reliable

• Hosted Windows runners may not have python3 on PATH; use python.
• Avoid the runneradmin-specific path. Use $env:APPDATA\Python\Scripts.
• Alternatively, install Poetry via pip to skip PATH gymnastics.

Minimal safe change:

 - name: Install base dependencies (Windows)
 if: matrix.os == 'windows-latest'
 run: |
 python -m pip install --upgrade pip setuptools pyinstaller
- curl -sSL https://install.python-poetry.org | python3 - --version ${{ env.POETRY_VERSION }}
- "C:\Users\runneradmin\AppData\Roaming\Python\Scripts" >> $env:GITHUB_PATH
+ curl -sSL https://install.python-poetry.org | python - --version ${{ env.POETRY_VERSION }}
+ echo "$env:APPDATA\Python\Scripts" | Out-File -FilePath "$env:GITHUB_PATH" -Encoding utf8 -Append
 poetry config virtualenvs.create false
 poetry install --no-root

Simpler alternative (recommended):

- curl -sSL https://install.python-poetry.org | python - --version ${{ env.POETRY_VERSION }}
- echo "$env:APPDATA\Python\Scripts" | Out-File -FilePath "$env:GITHUB_PATH" -Encoding utf8 -Append
+ python -m pip install "poetry==${{ env.POETRY_VERSION }}"

---

121-139: Windows build will fail without bash; also fix PyInstaller flags and add-data separators

• This step runs under PowerShell on windows-latest by default; the backslash line continuations and Bash vars will fail. Use shell: bash.
• On Windows, --add-data uses ';' not ':'; make it OS-aware.
• Fix misspelled --hiddenimport → --hidden-import.
• Avoid fragile wildcards; include directory roots to recurse.

Apply this diff:

- - name: Build binary with PyInstaller
- run: |
+ - name: Build binary with PyInstaller
+ shell: bash
+ run: |
 # Customize this PyInstaller command based on your project structure
- pyinstaller holmes_cli.py \
+ SEP=":"
+ if [[ "$RUNNER_OS" == "Windows" ]]; then SEP=";"; fi
+ pyinstaller holmes_cli.py \
 --name holmes \
- --add-data 'holmes/plugins/runbooks/*:holmes/plugins/runbooks' \
- --add-data 'holmes/plugins/prompts/*:holmes/plugins/prompts' \
- --add-data 'holmes/plugins/toolsets/*:holmes/plugins/toolsets' \
- --add-data 'holmes/plugins/toolsets/coralogix*:holmes/plugins/toolsets/coralogix' \
- --add-data 'holmes/plugins/toolsets/grafana*:holmes/plugins/toolsets/grafana' \
- --add-data 'holmes/plugins/toolsets/internet*:holmes/plugins/toolsets/internet' \
- --add-data 'holmes/plugins/toolsets/opensearch*:holmes/plugins/toolsets/opensearch' \
- --add-data 'holmes/plugins/toolsets/prometheus*:holmes/plugins/toolsets/prometheus' \
- --hidden-import=tiktoken_ext.openai_public \
- --hidden-import=tiktoken_ext \
- --hiddenimport litellm.llms.tokenizers \
- --hiddenimport litellm.litellm_core_utils.tokenizers \
+ --add-data "holmes/plugins/runbooks${SEP}holmes/plugins/runbooks" \
+ --add-data "holmes/plugins/prompts${SEP}holmes/plugins/prompts" \
+ --add-data "holmes/plugins/toolsets${SEP}holmes/plugins/toolsets" \
+ --hidden-import tiktoken_ext.openai_public \
+ --hidden-import tiktoken_ext \
+ --hidden-import litellm.llms.tokenizers \
+ --hidden-import litellm.litellm_core_utils.tokenizers \
 --collect-data litellm
 ls dist/

---

143-143: Fix if: expression syntax (actionlint) — wrap the entire condition in one ${{ ... }}

Current form mixes ${{ }} with text; actionlint flags it and GitHub may mis-evaluate.

Apply this diff:

- if: ${{ !inputs.is-release }} && matrix.os != 'windows-latest'
+ if: ${{ !inputs.is-release && matrix.os != 'windows-latest' }}

- if: ${{ !inputs.is-release }} && matrix.os == 'windows-latest'
+ if: ${{ !inputs.is-release && matrix.os == 'windows-latest' }}

Also applies to: 152-152

---

209-218: Release upload uses archived action and undefined upload_url outside release events; switch to maintained alternative

actions/upload-release-asset@v1 is archived and relies on github.event.release.upload_url which is not set when this reusable workflow is invoked by non-release events.

Apply this diff (using softprops/action-gh-release@v2):

- - name: Upload release asset
- if: inputs.is-release
- uses: actions/upload-release-asset@v1.0.2
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ github.event.release.upload_url }}
- asset_path: ./holmes-${{ matrix.os }}-${{ github.run_number }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
- asset_name: holmes-${{ matrix.os }}-${{ github.ref_name }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
- asset_content_type: application/octet-stream
+ - name: Upload release asset
+ if: ${{ inputs.is-release }}
+ uses: softprops/action-gh-release@v2
+ with:
+ files: holmes-${{ matrix.os }}-${{ github.run_number }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
+ name: holmes ${{ github.ref_name }}
+ tag_name: ${{ github.ref_name }}
+ fail_on_unmatched_files: true

Note: Ensure the calling workflow grants permissions.contents: write to this job; reusable workflows cannot elevate beyond the caller’s permissions.

.github/workflows/build-template.yaml (3)

36-39: Remove unused PYTHON_VERSION env to avoid confusion

PYTHON_VERSION is set from inputs but never used (matrix.python-version drives setup-python). Simplify to avoid drift between env and matrix.

Apply this diff:

 env:
- PYTHON_VERSION: ${{ inputs.python-version }}
 POETRY_VERSION: ${{ inputs.poetry-version }}

---

106-107: Standardize all step if: expressions for consistency

Several if: lines omit ${{ ... }} entirely. They may work, but consistency avoids surprises and keeps actionlint happy if rules tighten.

Apply this diff to wrap the remaining ones:

- if: contains(matrix.os, 'ubuntu') && inputs.is-release
+ if: ${{ contains(matrix.os, 'ubuntu') && inputs.is-release }}
- if: matrix.os == 'macos-latest' && inputs.is-release
+ if: ${{ matrix.os == 'macos-latest' && inputs.is-release }}
- if: matrix.os == 'windows-latest' && inputs.is-release
+ if: ${{ matrix.os == 'windows-latest' && inputs.is-release }}
- if: matrix.os != 'windows-latest'
+ if: ${{ matrix.os != 'windows-latest' }}
- if: matrix.os == 'windows-latest'
+ if: ${{ matrix.os == 'windows-latest' }}
- if: (matrix.os == 'macos-latest' || contains(matrix.os, 'ubuntu')) && inputs.is-release
+ if: ${{ (matrix.os == 'macos-latest' || contains(matrix.os, 'ubuntu')) && inputs.is-release }}
- if: matrix.os == 'windows-latest' && inputs.is-release
+ if: ${{ matrix.os == 'windows-latest' && inputs.is-release }}
- if: inputs.is-release
+ if: ${{ inputs.is-release }}
- if: inputs.is-release
+ if: ${{ inputs.is-release }}

Also applies to: 111-112, 115-116, 161-161, 171-171, 182-182, 190-190, 199-199, 210-210

---

20-24: Poetry 1.4.0 is quite old; consider bumping

Unless pinned for compatibility, consider a newer stable Poetry (e.g., 1.7/1.8) for Python 3.12+ support and bugfixes.

Would you like me to suggest a conservative version that matches your current pyproject constraints?

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

.github/workflows/build-and-release.yaml (4)

3-6: Trigger on "published" (and optionally add workflow_dispatch) instead of only "created".

Only firing on created means the workflow won’t run when the release is actually published. Add published (and optionally prereleased) and a manual trigger.

 on:
 release:
- types: [ created ]
+ types: [ published, prereleased ]
+ # Optional manual trigger
+ workflow_dispatch:

---

41-41: Fix truthiness: compare IS_LATEST explicitly to 'true'.

Job-level if with a non-empty string like "false" still evaluates truthy. Compare explicitly so the hash jobs only run for the latest release.

- if: needs.check-latest.outputs.IS_LATEST
+ if: needs.check-latest.outputs.IS_LATEST == 'true'
@@
- if: needs.check-latest.outputs.IS_LATEST
+ if: needs.check-latest.outputs.IS_LATEST == 'true'

Also applies to: 60-60

---

46-46: Upgrade actions/checkout to v4.

v2 is deprecated on modern runners; upgrade all occurrences.

- uses: actions/checkout@v2
+ uses: actions/checkout@v4

Also applies to: 65-65, 84-84

---

48-54: Replace deprecated set-output and ensure artifact path is correct.

• ::set-output is deprecated; write to $GITHUB_OUTPUT.
• download-artifact@v4 defaults to placing files in a subdirectory; set path: . so sha256sum finds the .zip at CWD.

 - name: Download MacOS artifact
 uses: actions/download-artifact@v4
 with:
 name: holmes-macos-latest-${{ github.ref_name }}
+ path: .
 - name: Calculate hash
 id: calc-hash
- run: echo "::set-output name=MAC_BUILD_HASH::$(sha256sum holmes-macos-latest-${{ github.ref_name }}.zip | awk '{print 1ドル}')"
+ run: |
+ echo "MAC_BUILD_HASH=$(sha256sum "holmes-macos-latest-${{ github.ref_name }}.zip" | awk '{print 1ドル}')" >> "$GITHUB_OUTPUT"
@@
 - name: Download Linux artifact
 uses: actions/download-artifact@v4
 with:
 name: holmes-ubuntu-22.04-${{ github.ref_name }}
+ path: .
 - name: Calculate hash
 id: calc-hash
- run: echo "::set-output name=LINUX_BUILD_HASH::$(sha256sum holmes-ubuntu-22.04-${{ github.ref_name }}.zip | awk '{print 1ドル}')"
+ run: |
+ echo "LINUX_BUILD_HASH=$(sha256sum "holmes-ubuntu-22.04-${{ github.ref_name }}.zip" | awk '{print 1ドル}')" >> "$GITHUB_OUTPUT"

Also applies to: 66-72

.github/workflows/build-and-release.yaml (3)

89-95: Make formula edits resilient; avoid brittle line-number AWK rewrites.

Hardcoding NR==6/7/9/10 will break when the formula structure shifts. Match on URL patterns and update in place. Also quote safely.

- awk 'NR==6{0ドル=" url \"https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-macos-latest-'"$TAG_NAME"'.zip\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==7{0ドル=" sha256 \"'$MAC_BUILD_HASH'\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==9{0ドル=" url \"https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-ubuntu-22.04-'"$TAG_NAME"'.zip\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==10{0ドル=" sha256 \"'$LINUX_BUILD_HASH'\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
+ sed -i.bak -E \
+ -e 's|^([[:space:]]*url ")[^"]*(holmes-macos-latest-)[^"]*(")|1円https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/2円'"$TAG_NAME"'.zip3円|' \
+ -e '0,/^([[:space:]]*sha256 ")[0-9a-f]{64}(")/s//1円'"$MAC_BUILD_HASH"'2円/' \
+ -e 's|^([[:space:]]*url ")[^"]*(holmes-ubuntu-22\.04-)[^"]*(")|1円https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/2円'"$TAG_NAME"'.zip3円|' \
+ -e '0,/^([[:space:]]*sha256 ")[0-9a-f]{64}(")/{s//1円'"$MAC_BUILD_HASH"'2円/;b}; s//1円'"$LINUX_BUILD_HASH"'2円/' \
+ ./Formula/holmesgpt.rb
+ rm -f ./Formula/holmesgpt.rb.bak

Alternatively, consider using brew bump-formula-pr with a tap to let Homebrew handle the edits, or template the formula and render from inputs during CI.

---

96-101: Harden commit step for reliability.

• Add git add to ensure changes are staged (commit -am skips untracked files).
• Optionally set explicit push ref to the checked-out default branch if needed.

 run: |
 git config --local user.email "action@github.com"
 git config --local user.name "GitHub Action"
- git commit -am "Update formula for release ${TAG_NAME}"
+ git add -A
+ git commit -m "Update formula for release ${TAG_NAME}"
 git push

---

75-81: Optional: make the "latest release" gate explicit here too.

Because this job needs the hash jobs, it will skip if they skip, but adding the explicit check improves intent and future-proofing.

- if: ${{ !github.event.release.prerelease }}
+ if: ${{ needs.check-latest.outputs.IS_LATEST == 'true' && !github.event.release.prerelease }}

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

.github/workflows/build-and-release.yaml (5)

3-6: Release trigger should run on publish, not only "created".

As written, the workflow won’t run when a release is actually published.

 on:
 release:
- types: [ created ]
+ types: [ published, prereleased ]
+ workflow_dispatch:

---

41-41: Fix truthiness bug in IS_LATEST gate.

Outputs are strings; bare usage treats "false" as truthy.

- if: needs.check-latest.outputs.IS_LATEST
+ if: needs.check-latest.outputs.IS_LATEST == 'true'
@@
- if: needs.check-latest.outputs.IS_LATEST
+ if: needs.check-latest.outputs.IS_LATEST == 'true'

Also applies to: 60-60

---

46-46: Upgrade checkout to v4.

v2 is blocked on modern runners.

- uses: actions/checkout@v2
+ uses: actions/checkout@v4

Also applies to: 65-65, 84-84

---

48-54: Replace deprecated set-output and ensure artifact path.

Write to $GITHUB_OUTPUT and download into cwd so the file is found.

- - name: Download MacOS artifact
+ - name: Download macOS artifact
 uses: actions/download-artifact@v4
 with:
 name: holmes-macos-latest-${{ github.ref_name }}
+ path: .
 - name: Calculate hash
 id: calc-hash
- run: echo "::set-output name=MAC_BUILD_HASH::$(sha256sum holmes-macos-latest-${{ github.ref_name }}.zip | awk '{print 1ドル}')"
+ run: |
+ echo "MAC_BUILD_HASH=$(sha256sum "holmes-macos-latest-${{ github.ref_name }}.zip" | awk '{print 1ドル}')" >> "$GITHUB_OUTPUT"

---

67-73: Do the same for Linux artifact.

 - name: Download Linux artifact
 uses: actions/download-artifact@v4
 with:
 name: holmes-ubuntu-22.04-${{ github.ref_name }}
+ path: .
 - name: Calculate hash
 id: calc-hash
- run: echo "::set-output name=LINUX_BUILD_HASH::$(sha256sum holmes-ubuntu-22.04-${{ github.ref_name }}.zip | awk '{print 1ドル}')"
+ run: |
+ echo "LINUX_BUILD_HASH=$(sha256sum "holmes-ubuntu-22.04-${{ github.ref_name }}.zip" | awk '{print 1ドル}')" >> "$GITHUB_OUTPUT"

.github/workflows/build-and-test.yaml (3)

19-25: Poetry config is redundant; simplify.

virtualenvs-in-project: true makes virtualenvs-path unused. Drop the path or set in-project: false.

 - with:
 - virtualenvs-create: true
 - virtualenvs-in-project: true
 - virtualenvs-path: .venv
 - installer-parallel: true
 + with:
 + virtualenvs-create: true
 + virtualenvs-in-project: true
 + installer-parallel: true

---

27-28: Speed up installs with Poetry + venv caching.

Cache Poetry/downloads and the project venv keyed by poetry.lock.

 - name: Install dependencies
- run: poetry install --no-interaction --no-root
+ run: poetry install --no-interaction --no-root
+ - name: Cache Poetry and venv
+ uses: actions/cache@v4
+ with:
+ path: |
+ ~/.cache/pypoetry
+ ./.venv
+ key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }}
+ restore-keys: |
+ ${{ runner.os }}-poetry-

---

5-5: Add concurrency to auto-cancel superseded runs.

Prevents backlog on busy PRs.

 name: Build and test HolmesGPT
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: true
@@
-on: [ push, pull_request, workflow_dispatch ]
+on: [ push, pull_request, workflow_dispatch ]

.github/workflows/build-and-release.yaml (2)

9-19: Avoid duplicating python version inputs to the reusable workflow.

Pass either a single python-version or the matrix, not both.

- python-version: "3.11"
- python-versions-matrix: '["3.11"]'
+ python-versions-matrix: '["3.11"]'

---

89-95: Brittle line-number rewrites; switch to pattern-based edits.

NR-based awk breaks if the formula header shifts. Match by pattern.

- awk 'NR==6{0ドル=" url \"https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-macos-latest-'"$TAG_NAME"'.zip\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==7{0ドル=" sha256 \"'$MAC_BUILD_HASH'\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==9{0ドル=" url \"https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-ubuntu-22.04-'"$TAG_NAME"'.zip\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
- awk 'NR==10{0ドル=" sha256 \"'$LINUX_BUILD_HASH'\""}1' ./Formula/holmesgpt.rb > temp && mv temp ./Formula/holmesgpt.rb
+ sed -i.bak \
+ -e 's#^\s*url "https://github.com/robusta-dev/holmesgpt/releases/download/.*/holmes-macos-latest-.*\.zip"# url "https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-macos-latest-'"$TAG_NAME"'.zip"#' \
+ -e '0,/^\s*sha256 "/s// sha256 "'$MAC_BUILD_HASH'"/' \
+ -e 's#^\s*url "https://github.com/robusta-dev/holmesgpt/releases/download/.*/holmes-ubuntu-22\.04-.*\.zip"# url "https://github.com/robusta-dev/holmesgpt/releases/download/'"$TAG_NAME"'/holmes-ubuntu-22.04-'"$TAG_NAME"'.zip"#' \
+ -e '1,/^\s*sha256 "/s// sha256 "'$LINUX_BUILD_HASH'"/' \
+ ./Formula/holmesgpt.rb
+ rm -f ./Formula/holmesgpt.rb.bak

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

.github/workflows/build-template.yaml (6)

43-49: Fix job name expression to avoid out-of-bounds and simplify

The expression indexes [1] and will throw when the matrix has one element. Always include the current Python version.

- name: Build (${{ matrix.os }}${{ fromJson(inputs.python-versions-matrix)[0] != fromJson(inputs.python-versions-matrix)[1] && format(', Python {0}', matrix.python-version) || '' }})
+ name: Build (${{ matrix.os }}, Python ${{ matrix.python-version }})

---

71-80: Windows: avoid hard-coded path and python3; install Poetry via pip

Removes brittle path assumptions and ensures availability.

- python -m pip install --upgrade pip setuptools pyinstaller
- curl -sSL https://install.python-poetry.org | python3 - --version ${{ env.POETRY_VERSION }}
- C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry config virtualenvs.create false
- C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry install --no-root
- # Updated GITHUB_PATH works on next steps, not current step somehow
- echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts" >> $env:GITHUB_PATH
+ python -m pip install --upgrade pip setuptools pyinstaller
+ python -m pip install "poetry==${{ env.POETRY_VERSION }}"
+ poetry config virtualenvs.create false
+ poetry install --no-root

---

82-89: Add patchelf (and optionally upx) on Linux for PyInstaller reliability

PyInstaller often needs patchelf to fix ELF RPATHs; upx can reduce size.

 sudo apt-get update
- sudo apt-get install -y binutils
+ sudo apt-get install -y binutils patchelf upx

---

121-143: PyInstaller flags: fix --hidden-import spelling and cross-OS --add-data separator

Use OS-aware separator and directory roots; wildcards can miss nested dirs.

- pyinstaller holmes_cli.py \
+ SEP=":"
+ if [[ "$RUNNER_OS" == "Windows" ]]; then SEP=";"; fi
+ pyinstaller holmes_cli.py \
 --name holmes \
- --add-data 'holmes/plugins/runbooks/*:holmes/plugins/runbooks' \
- --add-data 'holmes/plugins/prompts/*:holmes/plugins/prompts' \
- --add-data 'holmes/plugins/toolsets/*:holmes/plugins/toolsets' \
- --add-data 'holmes/plugins/toolsets/coralogix*:holmes/plugins/toolsets/coralogix' \
- --add-data 'holmes/plugins/toolsets/grafana*:holmes/plugins/toolsets/grafana' \
- --add-data 'holmes/plugins/toolsets/internet*:holmes/plugins/toolsets/internet' \
- --add-data 'holmes/plugins/toolsets/opensearch*:holmes/plugins/toolsets/opensearch' \
- --add-data 'holmes/plugins/toolsets/prometheus*:holmes/plugins/toolsets/prometheus' \
- --hidden-import=tiktoken_ext.openai_public \
- --hidden-import=tiktoken_ext \
- --hiddenimport litellm.llms.tokenizers \
- --hiddenimport litellm.litellm_core_utils.tokenizers \
+ --add-data "holmes/plugins/runbooks${SEP}holmes/plugins/runbooks" \
+ --add-data "holmes/plugins/prompts${SEP}holmes/plugins/prompts" \
+ --add-data "holmes/plugins/toolsets${SEP}holmes/plugins/toolsets" \
+ --hidden-import tiktoken_ext.openai_public \
+ --hidden-import tiktoken_ext \
+ --hidden-import litellm.llms.tokenizers \
+ --hidden-import litellm.litellm_core_utils.tokenizers \
 --collect-data litellm

---

193-201: Upload only the archive that exists per-OS; set if-no-files-found

Listing both .tar.gz and .zip can fail on non-matching OS.

- - name: Upload build artifacts
- if: inputs.is-release
+ - name: Upload build artifacts
+ if: ${{ inputs.is-release }}
 uses: actions/upload-artifact@v4
 with:
 name: holmes-${{ matrix.os }}-${{ github.run_number }}
- path: |
- holmes-${{ matrix.os }}-${{ github.run_number }}.tar.gz
- holmes-${{ matrix.os }}-${{ github.run_number }}.zip
+ path: holmes-${{ matrix.os }}-${{ github.run_number }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
 retention-days: 30
+ if-no-files-found: error

---

204-213: Switch from archived upload-release-asset to maintained action

actions/upload-release-asset@v1 is archived and unreliable. Use softprops/action-gh-release@v2.

- - name: Upload release asset
- if: inputs.is-release
- uses: actions/upload-release-asset@v1.0.2
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ github.event.release.upload_url }}
- asset_path: ./holmes-${{ matrix.os }}-${{ github.run_number }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
- asset_name: holmes-${{ matrix.os }}-${{ github.ref_name }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
- asset_content_type: application/octet-stream
+ - name: Upload release asset
+ if: ${{ inputs.is-release }}
+ uses: softprops/action-gh-release@v2
+ with:
+ files: holmes-${{ matrix.os }}-${{ github.run_number }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
+ name: holmes ${{ github.ref_name }}
+ tag_name: ${{ github.ref_name }}
+ fail_on_unmatched_files: true

.github/workflows/build-and-release.yaml (8)

96-101: Guard commit when no changes to avoid failing the job

Avoids non-zero exit when the formula already matches.

- git commit -am "Update formula for release ${TAG_NAME}"
- git push
+ if ! git diff --quiet; then
+ git commit -am "Update formula for release ${TAG_NAME}"
+ git push
+ else
+ echo "No changes to commit."
+ fi

---

3-6: Trigger on published/prereleased (not only created); add manual trigger

Ensures the formula update runs when a release is live.

 on:
 release:
- types: [ created ]
+ types: [ published, prereleased ]
+ workflow_dispatch:

---

21-28: Ensure IS_LATEST output is compared as a string in dependent jobs

Job outputs are strings; using them bare is always truthy.

 outputs:
 IS_LATEST: ${{ steps.check-latest.outputs.release == github.ref_name }}

Then update consumers below (see next comments) to compare to 'true'.

---

39-43: Fix job-level if: compare to 'true'

Prevents always-on behavior.

- if: needs.check-latest.outputs.IS_LATEST
+ if: needs.check-latest.outputs.IS_LATEST == 'true'

---

46-46: Upgrade checkout to v4

v2 is EOL on modern runners.

- uses: actions/checkout@v2
+ uses: actions/checkout@v4

---

60-66: Upgrade checkout to v4

Same as above.

- - name: Checkout Repository
- uses: actions/checkout@v2
+ - name: Checkout Repository
+ uses: actions/checkout@v4

---

74-82: Propagate IS_LATEST gate correctly and define TAG_NAME env

Also ensure the prerelease guard stays intact.

 update-formula:
 name: Update Homebrew Formula
 needs: [ mac-hash, linux-hash ]
 runs-on: ubuntu-latest
- if: ${{ !github.event.release.prerelease }}
+ if: ${{ !github.event.release.prerelease && needs.check-latest.outputs.IS_LATEST == 'true' }}
 env:
 TAG_NAME: ${{ github.ref_name }}

---

83-88: Upgrade checkout to v4 for the tap repo

- uses: actions/checkout@v2
+ uses: actions/checkout@v4

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.