Skip to content

feat: add dotfiles formula and wire nsheaps-base to use it#520

Open
nsheaps wants to merge 5 commits into
mainfrom
claude/dotfiles-homebrew-formula-w2pore
Open

feat: add dotfiles formula and wire nsheaps-base to use it#520
nsheaps wants to merge 5 commits into
mainfrom
claude/dotfiles-homebrew-formula-w2pore

Conversation

@nsheaps

@nsheaps nsheaps commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Add Formula/dotfiles.rb (placeholder v0.1.0 until the dotfiles release pipeline overwrites url/sha256; head block allows --HEAD installs meanwhile). The formula bundles the repo into libexec, installs a thin dotfiles wrapper on PATH, and auto-wires the shell config into $HOME in post_install via dotfiles ensure-wired.

Update Casks/nsheaps-base.rb to depend on the dotfiles formula and drop the manual caveats block (the antidote cat >> ~/.zshrc bundle and the mise use -g step) now that wiring is automatic. Keep the remaining manual steps (rosetta, gh auth, gpg/ssh keys, restart) and the brew alias note, and bump the cask version.

Claude-Session: https://claude.ai/code/session_01P7rjL9mbvr8Q8KSndRGGET

claude and others added 4 commits July 9, 2026 21:07
Add Formula/dotfiles.rb (placeholder v0.1.0 until the dotfiles release
pipeline overwrites url/sha256; head block allows --HEAD installs
meanwhile). The formula bundles the repo into libexec, installs a thin
`dotfiles` wrapper on PATH, and auto-wires the shell config into $HOME in
post_install via `dotfiles ensure-wired`.

Update Casks/nsheaps-base.rb to depend on the dotfiles formula and drop
the manual caveats block (the antidote `cat >> ~/.zshrc` bundle and the
`mise use -g` step) now that wiring is automatic. Keep the remaining
manual steps (rosetta, gh auth, gpg/ssh keys, restart) and the brew
alias note, and bump the cask version.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01P7rjL9mbvr8Q8KSndRGGET
Move the inline comment on the dotfiles `depends_on` above the line to
clear rubocop Layout/LineLength (122/120), and add `gotmpl`, `libexec`,
and `customizer` to the cspell project dictionary so the new formula and
existing cask lines pass spell checking.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01P7rjL9mbvr8Q8KSndRGGET
The Security job's checkov step failed on two pre-existing findings:

- CKV2_GHA_1 (dispatch-review.yaml): no top-level permissions block, so
  the default is treated as write-all. Add a least-privilege top-level
  `permissions: contents: read`. The review job is a reusable-workflow
  call with its own explicit (broader) permissions, which still governs
  the called workflow.

- CKV_GHA_7 (apply-repo-settings.yaml): workflow_dispatch inputs must be
  empty. Drop the `dry-run` input and instead read the dry-run flag from a
  repository_dispatch client_payload, preserving the capability through a
  channel the check allows.

Note: both files carry upstream "managed by nsheaps/.github" sync headers;
these fixes should be mirrored there to survive the next template sync.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01P7rjL9mbvr8Q8KSndRGGET
…puts

Restore the apply-repo-settings.yaml `workflow_dispatch` dry-run input and
disable CKV_GHA_7 ("workflow_dispatch inputs MUST be empty") repo-wide via
a new .checkov.yaml skip-check. That SLSA build-integrity check does not fit
our automation workflows, which legitimately expose a manual dry-run toggle
and produce no build artifact.

The repo-level config (auto-loaded by `checkov -d .`) survives the upstream
nsheaps/.github template sync, unlike an inline skip in the managed file.
The dispatch-review.yaml top-level least-privilege permissions block
(CKV2_GHA_1) is kept as-is.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01P7rjL9mbvr8Q8KSndRGGET
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants