feat(scripts): add Homebrew distribution (#149)

* feat(scripts): add Homebrew distribution library

* feat(scripts): add Homebrew distribution script and CI job

* docs: add Homebrew distribution to README and releasing docs

* feat(homebrew): add parseMajorVersion helper

* fix(homebrew): validate parseMajorVersion input

* feat(homebrew): support versioned formula rendering

* feat(homebrew): write versioned formula alongside latest

* refactor(homebrew): flatten arg parsing and replace shell-outs with node:fs

Move parseArgs to the top level to match the pattern in scripts/run-tests.ts.
Replace Bun.spawnSync calls to mkdir and cp with mkdirSync and copyFileSync.

* docs(homebrew): fix stale file paths and count in releasing docs

* fix(lint): pass oxlint config explicitly in pre-commit hook

The nano-staged hook invoked `oxlint` without `-c .oxlintrc.json`, so
the `scripts/**` overrides that disable `no-console` and
`unicorn/no-process-exit` did not apply and any commit touching a
script file failed the hook. Mirrors the fix already applied to the
`lint` script in 69a9627.

* fix(homebrew): address review feedback

Fail fast when HOMEBREW_TAP_TOKEN is missing instead of after archive
upload. Replace run() with Bun.spawnSync for `git remote set-url` so
the token is not interpolated into thrown error messages. Drop the
leading article from `desc` and use modern on_arm/on_intel DSL blocks.

Author: wyattjoh

.github/workflows/release.yml

@@ -132,6 +132,30 @@ jobs:
             gh release upload "$tag" "${dir}clerk-${target}${ext}" --clobber
           done
 
+  homebrew:
+    needs: [versioning, build, sign-macos, smoke-test, publish-npm]
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install --frozen-lockfile
+
+      - uses: actions/download-artifact@v8
+        with:
+          pattern: clerk-{darwin-arm64,darwin-x64,linux-arm64,linux-x64}
+          path: dist/artifacts
+
+      - name: Publish Homebrew formula
+        run: bun run scripts/homebrew.ts --version "$VERSION"
+        env:
+          VERSION: ${{ needs.versioning.outputs.version }}
+          ARTIFACTS_DIR: ${{ github.workspace }}/dist/artifacts
+          GH_TOKEN: ${{ github.token }}
+          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+
   # ─── Canary release ────────────────────────────────────────────────
 
   canary-version:

README.md

@@ -4,6 +4,14 @@ The Clerk command-line interface.
 
 ## Installation
 
+### Homebrew (macOS / Linux)
+
+```sh
+brew install clerk/stable/clerk
+```
+
+### npm
+
 ```sh
 npm install -g clerk
 ```

docs/releasing.md

@@ -6,24 +6,25 @@ This document describes how the Clerk CLI is built, versioned, and published.
 
 ```
 push to main
-  → changesets/action creates/updates "Version Packages" PR
-    → merge "Version Packages" PR
-      → check-release.ts detects unpublished version
-        → build job: cross-compile all 8 targets (~5.5s total)
-          → sign-macos job: code sign + notarize darwin binaries
-            → smoke-test job: verify binaries on native runners
-              → publish-npm: generate platform packages + publish wrapper
-              → upload-github-assets: attach binaries to the GitHub Release
-  → (if no stable release needed) canary.ts versions packages
-    → build → sign-macos → smoke-test subset → upload GitHub pre-release → publish @canary (npm)
+  -> changesets/action creates/updates "Version Packages" PR
+    -> merge "Version Packages" PR
+      -> check-release.ts detects unpublished version
+        -> build job: cross-compile all 8 targets (~5.5s total)
+          -> sign-macos job: code sign + notarize darwin binaries
+            -> smoke-test job: verify binaries on native runners
+              -> publish-npm: generate platform packages + publish wrapper
+                -> upload-github-assets: attach binaries to the GitHub Release
+                -> homebrew: create archives, upload, render formula, push to clerk/homebrew-stable
+  -> (if no stable release needed) canary.ts versions packages
+    -> build -> sign-macos -> smoke-test subset -> upload GitHub pre-release -> publish @canary (npm)
 
 PR comment "!snapshot [name]"
-  → snapshot.ts versions packages from PR branch
-    → build job: cross-compile binaries
-      → sign-macos job: code sign + notarize darwin binaries
-        → smoke-test job: verify linux-x64 binary
-          → publish-npm: publish @snapshot packages
-            → post installation comment on PR
+  -> snapshot.ts versions packages from PR branch
+    -> build job: cross-compile binaries
+      -> sign-macos job: code sign + notarize darwin binaries
+        -> smoke-test job: verify linux-x64 binary
+          -> publish-npm: publish @snapshot packages
+            -> post installation comment on PR
 ```
 
 ## Architecture
@@ -192,6 +193,14 @@ Publishing uses [npm OIDC trusted publishing](https://docs.npmjs.com/trusted-pub
 
 Attaches the compiled binaries to the GitHub Release for direct download. Binaries are uploaded with display names following the `clerk-<target>` convention (e.g., `clerk-darwin-arm64`, `clerk-win32-x64.exe`).
 
+### 6. Homebrew Job
+
+Creates `.tar.gz` archives of the 4 Homebrew-relevant binaries (darwin-arm64, darwin-x64, linux-arm64, linux-x64) downloaded directly from Actions artifacts, uploads them to the GitHub Release, computes SHA256 checksums, renders `Formula/clerk.rb`, and pushes the result to `clerk/homebrew-stable`. The push uses the `HOMEBREW_TAP_TOKEN` secret (a fine-grained PAT or GitHub App token with `contents: write` on `clerk/homebrew-stable`).
+
+This job runs in parallel with `publish-github` since both depend on `publish-npm` (which creates the GitHub Release).
+
+Install: `brew install clerk/stable/clerk`
+
 ## Key Files
 
 | File                                   | Purpose                                                                        |
@@ -209,20 +218,23 @@ Attaches the compiled binaries to the GitHub Release for direct download. Binari
 | `scripts/canary.ts`                    | Versions packages for canary channel using Changesets snapshots                |
 | `scripts/snapshot.ts`                  | Versions packages for snapshot channel using Changesets snapshots              |
 | `scripts/check-release.ts`             | Detects if a stable release is needed (compares version to npm registry)       |
+| `scripts/homebrew.ts`                  | Creates Homebrew archives, uploads to release, renders and pushes formula      |
+| `scripts/lib/homebrew.ts`              | Homebrew formula renderer, target list, and helper utilities                   |
 | `.changeset/config.json`               | Changesets configuration                                                       |
 | `.github/workflows/build-binaries.yml` | Reusable workflow for cross-compiling binaries (called by release + snapshot)  |
 | `.github/workflows/sign-macos.yml`     | Reusable workflow for macOS code signing and notarization                      |
 | `.github/workflows/smoke-test.yml`     | Reusable workflow for smoke-testing binaries (called by release + snapshot)    |
-| `.github/workflows/release.yml`        | GitHub Actions release, canary, and snapshot workflow                           |
+| `.github/workflows/release.yml`        | GitHub Actions release, canary, and snapshot workflow                          |
 
 ## Keeping Targets in Sync
 
 The target list exists in these places that must stay in sync:
 
 1. `scripts/releaser/targets.ts` -- used by the releaser to generate platform packages and by `scripts/build.ts` to cross-compile binaries
 2. `.github/workflows/smoke-test.yml` preset definitions -- defines the target matrix for each preset (`stable`, `canary`, `snapshot`)
+3. `scripts/lib/homebrew.ts` -- the `HOMEBREW_TARGETS` array of Homebrew-relevant targets (darwin-arm64, darwin-x64, linux-arm64, linux-x64)
 
-If you add or remove a target, update both of these. Note that the smoke-test presets may not cover every target if a native runner isn't available (e.g., `win32-arm64`).
+If you add or remove a target, update all three of these. Note that the smoke-test presets may not cover every target if a native runner isn't available (e.g., `win32-arm64`).
 
 ## Local Development
 

package.json

@@ -43,7 +43,7 @@
   "nano-staged": {
     "*.{ts,tsx,js,jsx}": [
       "oxfmt --write",
-      "oxlint"
+      "oxlint -c .oxlintrc.json"
     ],
     "*.{md,json,css}": "oxfmt --write"
   },

scripts/homebrew.ts

@@ -0,0 +1,143 @@
+import { mkdtemp, writeFile, mkdir } from "node:fs/promises";
+import { join, basename } from "node:path";
+import { tmpdir } from "node:os";
+import { parseArgs } from "node:util";
+import {
+  renderFormula,
+  createArchive,
+  computeChecksum,
+  parseMajorVersion,
+  HOMEBREW_TARGETS,
+  type FormulaInput,
+} from "./lib/homebrew.ts";
+import { run } from "./lib/npm.ts";
+
+const DEFAULT_ARTIFACTS_DIR =
+  process.env.ARTIFACTS_DIR ?? join(import.meta.dir, "../dist/artifacts");
+
+const { values } = parseArgs({
+  options: {
+    version: { type: "string" },
+    "artifacts-dir": { type: "string" },
+    "tap-repo": { type: "string" },
+    "dry-run": { type: "boolean", default: false },
+  },
+  strict: true,
+});
+
+if (!values.version) {
+  console.error("--version is required.");
+  process.exit(1);
+}
+
+const version = values.version;
+const artifactsDir = values["artifacts-dir"] ?? DEFAULT_ARTIFACTS_DIR;
+const tapRepo = values["tap-repo"] ?? "clerk/homebrew-stable";
+const dryRun = values["dry-run"]!;
+
+if (!dryRun && !process.env.HOMEBREW_TAP_TOKEN) {
+  console.error("HOMEBREW_TAP_TOKEN is required (use --dry-run to skip).");
+  process.exit(1);
+}
+
+console.log(`Homebrew distribution: v${version}${dryRun ? " (dry run)" : ""}`);
+console.log(`Artifacts dir: ${artifactsDir}`);
+console.log(`Tap repo: ${tapRepo}`);
+
+const workDir = await mkdtemp(join(tmpdir(), "homebrew-archives-"));
+console.log(`Work directory: ${workDir}`);
+
+const archivePaths = new Map<string, string>();
+
+for (const target of HOMEBREW_TARGETS) {
+  const binaryPath = join(artifactsDir, `clerk-${target.name}`, "clerk");
+  const archivePath = join(workDir, `homebrew-clerk-${target.name}.tar.gz`);
+  console.log(`Creating archive for ${target.name}...`);
+  createArchive(binaryPath, archivePath);
+  archivePaths.set(target.name, archivePath);
+}
+
+const tagName = `v${version}`;
+for (const target of HOMEBREW_TARGETS) {
+  const archivePath = archivePaths.get(target.name)!;
+  if (dryRun) {
+    console.log(`[dry-run] Would upload ${basename(archivePath)} to ${tagName}`);
+  } else {
+    console.log(`Uploading ${basename(archivePath)} to ${tagName}...`);
+    run(["gh", "release", "upload", tagName, archivePath, "--clobber"]);
+  }
+}
+
+console.log("Computing checksums...");
+const checksums = {} as FormulaInput["checksums"];
+for (const target of HOMEBREW_TARGETS) {
+  const archivePath = archivePaths.get(target.name)!;
+  checksums[target.name] = await computeChecksum(archivePath);
+}
+
+for (const target of HOMEBREW_TARGETS) {
+  console.log(`  ${target.name}: ${checksums[target.name]}`);
+}
+
+const formula = renderFormula({ version, checksums });
+console.log("\nRendered formula:");
+console.log(formula);
+
+const major = parseMajorVersion(version);
+const versionedFormula = renderFormula({ version, checksums, major });
+console.log("\nRendered versioned formula:");
+console.log(versionedFormula);
+
+if (dryRun) {
+  console.log("[dry-run] Skipping tap clone and push.");
+  console.log(`[dry-run] Would write Formula/clerk.rb and Formula/clerk@${major}.rb`);
+} else {
+  const token = process.env.HOMEBREW_TAP_TOKEN!;
+
+  const tapWorkDir = join(workDir, "tap-workdir");
+  console.log(`Cloning tap repo ${tapRepo}...`);
+  run(["git", "clone", `https://github.com/${tapRepo}.git`, tapWorkDir]);
+  const setUrlResult = Bun.spawnSync(
+    [
+      "git",
+      "remote",
+      "set-url",
+      "origin",
+      `https://x-access-token:${token}@github.com/${tapRepo}.git`,
+    ],
+    { cwd: tapWorkDir, stdio: ["ignore", "pipe", "pipe"] },
+  );
+  if (setUrlResult.exitCode !== 0) {
+    throw new Error("Failed to configure authenticated remote for tap repo");
+  }
+
+  const formulaDir = join(tapWorkDir, "Formula");
+  await mkdir(formulaDir, { recursive: true });
+  const formulaPath = join(formulaDir, "clerk.rb");
+  await writeFile(formulaPath, formula, "utf-8");
+  console.log(`Wrote formula to ${formulaPath}`);
+
+  const versionedFormulaPath = join(formulaDir, `clerk@${major}.rb`);
+  await writeFile(versionedFormulaPath, versionedFormula, "utf-8");
+  console.log(`Wrote versioned formula to ${versionedFormulaPath}`);
+
+  run(["git", "config", "user.name", "clerk-bot"], { cwd: tapWorkDir });
+  run(["git", "config", "user.email", "bot@clerk.com"], { cwd: tapWorkDir });
+  run(["git", "add", "Formula/clerk.rb", `Formula/clerk@${major}.rb`], { cwd: tapWorkDir });
+
+  const diffResult = Bun.spawnSync(["git", "diff", "--cached", "--quiet"], {
+    cwd: tapWorkDir,
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+
+  if (diffResult.exitCode === 0) {
+    console.log("No changes to formula, skipping commit and push.");
+  } else {
+    console.log(`Committing and pushing formula for clerk ${version}...`);
+    run(["git", "commit", "-m", `clerk ${version}`], { cwd: tapWorkDir });
+    run(["git", "push", "origin", "main"], { cwd: tapWorkDir });
+    console.log("Pushed formula to tap.");
+  }
+}
+
+console.log("Done!");