v1.3.3 tarball sha256 change?

[carlocab]

We're attempting to update Homebrew's version of Go (https://github.com/Homebrew/homebrew-core/pull/66355).

While testing the new version, CI produced the following error:

==> brew install --build-from-source hasura-cli
==> FAILED
==> Downloading https://github.com/hasura/graphql-engine/archive/v1.3.3.tar.gz
==> Downloading from https://codeload.github.com/hasura/graphql-engine/tar.gz/v1.3.3
Error: SHA256 mismatch
Expected: 20d6e4d2da8e9ad4008683e3427e496ce9a96044b549385595bc681acbd8607a
  Actual: 2171bd0611719ed2340c783fdb2ac8f98cfafb608ec7898074627ece90f7ad5c

I can update the sha256 associated with the formula, but CI will come back to me with the following error:

hasura-cli:
  * stable sha256 changed without the url/version also changing; please create an issue upstream to rule out malicious circumstances and to find out why the file changed.

Can I confirm that nothing is amiss here?

[tirumaraiselvan]

We had a release of v1.3.3 which was in draft initially, it was then removed and after few days a proper v1.3.3 release was made. Did the SHA get cached somewhere when it was a draft release? I am not really sure what is happening.

[carlocab]

Homebrew hasura-cli was upgraded to v1.3.3 here: https://github.com/Homebrew/homebrew-core/pull/64534

It seems you have this process automated somehow. I suspect that this was still a draft release when this happened.

[carlocab]

@chenrui333 FYI, I think your bump action picked up a draft release.

[tirumaraiselvan]

We didn't bump action as part of our release. The homebrew package is community maintained, so quite surprised somebody picked this up in draft stage.

[tirumaraiselvan]

Is it possible to send a new patch to override this https://github.com/Homebrew/homebrew-core/pull/64534?

[carlocab]

Someone's already opened a PR to fix the recorded SHA256: https://github.com/Homebrew/homebrew-core/pull/67065

As for the bump action, I'm not sure how that got set up, so I don't know how to fix it.