From 768096b494a8d1acd40f1153540f1bf2577d8c75 Mon Sep 17 00:00:00 2001
From: OB <ob@coroboros.com>
Date: Sun, 21 Jun 2026 16:43:39 +0700
Subject: [PATCH] fix(rust): run dist formula hardening from composite

---
 .../rust/harden-homebrew-formula/action.yml     | 17 +++++++++++++++++
 .../harden-homebrew-formula.py                  |  0
 .github/workflows/rust-packages.yml             |  6 +++---
 CHANGELOG.md                                    |  5 +++++
 CLAUDE.md                                       |  2 +-
 README.md                                       |  1 +
 package.json                                    |  2 +-
 7 files changed, 28 insertions(+), 5 deletions(-)
 create mode 100644 .github/actions/rust/harden-homebrew-formula/action.yml
 rename .github/{scripts => actions/rust/harden-homebrew-formula}/harden-homebrew-formula.py (100%)

diff --git a/.github/actions/rust/harden-homebrew-formula/action.yml b/.github/actions/rust/harden-homebrew-formula/action.yml
new file mode 100644
index 0000000..277b45d
--- /dev/null
+++ b/.github/actions/rust/harden-homebrew-formula/action.yml
@@ -0,0 +1,17 @@
+# Rust Harden Homebrew Formula Action Composite
+name: rust-harden-homebrew-formula
+description: Harden cargo-dist Homebrew formulae generated in a distribution directory.
+
+inputs:
+  dist-dir:
+    description: Directory containing cargo-dist global artifacts.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Harden Homebrew formula
+      shell: bash
+      env:
+        DIST_DIR: ${{ inputs.dist-dir }}
+      run: python3 "${GITHUB_ACTION_PATH}/harden-homebrew-formula.py" "${DIST_DIR}"
diff --git a/.github/scripts/harden-homebrew-formula.py b/.github/actions/rust/harden-homebrew-formula/harden-homebrew-formula.py
similarity index 100%
rename from .github/scripts/harden-homebrew-formula.py
rename to .github/actions/rust/harden-homebrew-formula/harden-homebrew-formula.py
diff --git a/.github/workflows/rust-packages.yml b/.github/workflows/rust-packages.yml
index 4609e5a..5094f25 100644
--- a/.github/workflows/rust-packages.yml
+++ b/.github/workflows/rust-packages.yml
@@ -237,9 +237,9 @@ jobs:
           cp target/distrib/plan-dist-manifest.json target/distrib/dist-manifest.json
           dist build --tag="${GITHUB_REF_NAME}" --artifacts=global --output-format=json > "${RUNNER_TEMP}/dist-manifest.json"
 
-      - name: Harden Homebrew formula
-        shell: bash
-        run: python3 .github/scripts/harden-homebrew-formula.py target/distrib
+      - uses: coroboros/ci/.github/actions/rust/harden-homebrew-formula@v0
+        with:
+          dist-dir: target/distrib
 
       # Undraft before the formula/npm job so they resolve against a live release, not a draft.
       - name: Upload release assets and undraft
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 12583f8..d7b6d12 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.2.9 - 21/06/2026
+
+### Fixes
+- `rust-packages` — run Homebrew formula hardening from a versioned `rust/harden-homebrew-formula` composite instead of a `.github/scripts/...` path in the consumer checkout. Binary release repos now resolve the script through `coroboros/ci@v0` and no longer fail `dist-host` after the crate publish has succeeded.
+
 ## v0.2.8 - 20/06/2026
 
 ### Fixes
diff --git a/CLAUDE.md b/CLAUDE.md
index 4e2df2b..3ab9de1 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -14,7 +14,7 @@ Reusable GitHub Actions workflows + composite actions for the Coroboros stack.
 - `.github/workflows/security-gate.yml` — blocking gate `publish-package` `needs:`. `scan-supply-chain` (auto-routed: `Cargo.toml` → `security/rust/cargo-deny` advisories+bans+sources, else `security/osv-scanner`) + `scan-secrets` (gitleaks). A separate reusable workflow so the caller's `publish` can `needs:` the whole gate as one job, running each scan once. Imposed via the package workflows, importable standalone by a non-package repo.
 - `.github/workflows/security.yml` — advisory layer, never blocks: `review-dependencies` (PR-only) + `check-licenses` (Rust, `security/rust/cargo-deny` `checks: licenses`). License/quality policy lives here, off the gate.
 - `.github/workflows/{self-lint,self-test,self-security,self-release}.yml` — self-CI: lint, the security composites + `security-gate`/`security` workflows via local `./`, the `v0` rolling-tag move, and `self-test` smoke-testing every composite (plus `javascript/base`/`rust/base` on `test/fixtures/`) every PR. Workflow self-tests resolve their `@v0` composites against the released `v0`, so a brand-new composite is testable only once a release moves `v0` onto it.
-- `.github/actions/{check-docs,javascript/base,rust/{base,native-deps,test-deps,install-dist,pin-version},security/{gitleaks,osv-scanner,rust/cargo-deny},release/{verify-tag,generate-changelog,github-release,commit-artifacts}}/action.yml` — composites.
+- `.github/actions/{check-docs,javascript/base,rust/{base,native-deps,test-deps,install-dist,pin-version,harden-homebrew-formula},security/{gitleaks,osv-scanner,rust/cargo-deny},release/{verify-tag,generate-changelog,github-release,commit-artifacts}}/action.yml` — composites.
 - `.github/dependabot.yml` — auto-PRs for pinned action SHAs. `renovate.json` + `.github/workflows/renovate.yml` — self-hosted Renovate (needs the `RENOVATE_TOKEN` PAT secret, scope `repo` + `workflow`) auto-bumps the version-pinned tooling; `.github/renovate/sync-tool-sha.sh` re-syncs each paired tarball SHA-256 in the same PR.
 - `security/.gitleaks.toml` — canonical gitleaks ruleset.
 - `security/deny.toml` — canonical cargo-deny ruleset, imposed via `--config` (consumer `deny.toml` ignored; `deny.exceptions.toml` rejected). An unfixable transitive advisory → PR a justified `ignore = ["RUSTSEC-…"]` (with `# why`) to this file, never a per-repo override.
diff --git a/README.md b/README.md
index f37306c..f25f79f 100644
--- a/README.md
+++ b/README.md
@@ -249,6 +249,7 @@ The advisory layer — reports, never blocks (parity with GitLab's `allow_failur
 | `rust/test-deps` | Rust | Loads the optional `ci/test.env` into the job env and runs the optional `ci/test-setup.sh` fixture hook before `cargo test`. Used by `rust/base`. No-op when absent. |
 | `rust/install-dist` | Rust | Installs cargo-dist's `dist` binary, prebuilt and SHA-256 verified (Linux/macOS/Windows). Shared by the `dist-plan`, `dist-build`, `dist-host` jobs. |
 | `rust/pin-version` | Rust | Installs version-pinned `cargo-set-version` (cargo-edit) and stamps `Cargo.toml` to the release tag. Shared by `publish-package` and the `dist-*` jobs. |
+| `rust/harden-homebrew-formula` | Rust | Hardens cargo-dist Homebrew formulae before release upload and tap publish. Shared by `rust-packages.yml`'s `dist-host` job. |
 | `security/gitleaks` | transverse | Installs gitleaks (SHA-256 verified), scans with the canonical ruleset, emits SARIF. Behind `security-gate.yml`'s `scan-secrets` and self-CI. |
 | `security/osv-scanner` | transverse | Scans dependency manifests for known vulnerabilities (OSV.dev); skips a repo with no supported manifest. Behind `security-gate.yml`'s `scan-supply-chain` (non-Rust) and self-CI. |
 | `security/rust/cargo-deny` | Rust | Runs cargo-deny against the canonical imposed `security/deny.toml` (sparse-checked from `coroboros/ci`, no consumer override). The `checks` input selects which checks run — `advisories bans sources` for the `security-gate.yml` `scan-supply-chain`, `licenses` for the `security.yml` advisory layer. |
diff --git a/package.json b/package.json
index 3034853..2a8c323 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@coroboros/ci",
-  "version": "0.2.8",
+  "version": "0.2.9",
   "private": true,
   "description": "Reusable GitHub Actions CI for the Coroboros stack.",
   "license": "SEE LICENSE IN LICENSE.md",