Providing a Homebrew tap backed by private GitHub repo

x.md

First of all, install Homebrew itself.

As the tap is a private Git repo, you need to generate a GitHub token with repo scope and then add this token to your ~/.netrc file like this:

machine github.com
  login <your GitHub user>
  password <your GitHub token>

Now you can add the tap to your system:

brew tap user/repo

Afterwards, you can finally install tools provided by the tap:

Install the current version of tool XYZ:

brew install XYZ

Install the latest version of tool XYZ:

brew rm XYZ; brew install --HEAD XYZ

Any idea how to handle taps that reference private urls? My formula has https://github.com/iGaskin/homebrew-tools/releases/download/v0.0.1/igaskin-0.0.1.tar.gz in the url field, which can only be accessed via the private rep.

As @igaskin-gpsw mentions, this is unfortunately only half the story, i.e. a private brew package repo that references package sources in a public repository. There doesn't seem to be support for a private brew package repo referencing a private package source repo, especially not for cases outside github, e.g. gitlab.com or private, intranet-based repos.

@igaskin-gpsw @z00m1n: for installing from releases on private Github repositories, use this syntax in your formula:

  url "https://github.com/<owner>/<repo>/releases/download/<version>/<file>", :using => GitHubPrivateRepositoryReleaseDownloadStrategy

Note that you'll have to provide a Github API token with scope repo in environment variable HOMEBREW_GITHUB_API_TOKEN. For example:

HOMEBREW_GITHUB_API_TOKEN="<token>" brew install myprivateprog

Ideally you wouldn't provide the token as cleartext on the commandline, but rather through a password manager like pass or gopass.

See https://github.com/Homebrew/brew/pull/1763/files

Looks like this no longer works, gives the following error with brew version Homebrew 2.2.13-12-gc9ffde6

uninitialized constant #<Class:0x00007f956797ecb8>::GitHubPrivateRepositoryReleaseDownloadStrategy

You can just do brew tap <owner>/<repo>/<file> <git-clone-address>. For instance if https://github.com/cockroachdb/homebrew-tap was a private repo you'd do brew tap cockroachdb/tap/cockroach git@github.com:cockroachdb/homebrew-tap.git

As long as you have an SSH key added to your ssh-agent that has access to that org (i.e. you can git clone) this will work. No need to futz with environment variables or special tokens beyond the regular setup needed for any source control system.

thanks @cbzehner, this makes more sense as it will use the existing auth mechanism

@cbzehner I think this solution fixes the issue of accessing a private tap but not private code.

The tool my formula is installing is in a private repo and the release is not accessible without custom http headers. This might work if the install step is cloning the repo and building the tool, but then everybody that installs it needs the build dependencies (Go, C++, Rust, whatever).

@KevinGimbel
It works with private repo by using the old removed install strategy from homebrew GitHubPrivateRepositoryReleaseDownloadStrategy.
But to use it like how it is shown by @sgeb, you will need a sub-directory, lets say my_strategies, on the top of your repo's directory.
You should now put the strategy definition inside my_strategies, lets say it is called custom_strategy.rb.
Then, for the rest of your formulas, which should be on the top of your repo's directory, put this on the top:

require_relative 'my_strategies/custom_strategy'
# ... rest  of your formula ... #

I got the idea from: https://gist.github.com/minamijoyo/3d8aa79085369efb79964ba45e24bb0e
I tried and it works perfectly fine. Just remember brew audit will not pass if you use this strategy, as the repo will seem unaccessible to brew.

One very hacky option: set the url in the formula to file:///tmp/file.tar.gz and let your install instructions be:

curl https://url/to/file.tar.gz > /tmp/file.tar.gz
brew install <owner>/<repo>/<file>