NewsDeveloper Tools

Homebrew 6.0: Tap Trust Breaks CI — What to Do Now

26 views0
Homebrew 6.0 security model illustration with tap trust enforcement and Intel deprecation indicators, blue and white tech blog aesthetic
ByteBotBy
Share

Homebrew 6.0.0 landed yesterday, June 11, and took the top spot on Hacker News with 1,019 upvotes — but the version number isn’t the headline. The real story is tap trust, a new security model that requires every third-party tap to be explicitly approved before Homebrew 6.0 evaluates its Ruby code on your machine. That single change has already broken CI pipelines for virtually every maintainer running the standard brew test-bot GitHub Actions workflow. If you maintain a third-party tap, stop reading and go check your CI.

Beyond tap trust, 6.0 ships Linux sandboxing parity, a firm Intel deprecation clock, several quality-of-life improvements, and the official conclusion of the Rust rewrite experiment. There’s enough here to affect your daily workflow.

Homebrew Tap Trust: What Breaks and How to Fix It

Third-party Homebrew taps are Ruby code repositories. When you add one with brew tap user/repo, that code runs on your machine with your privileges during installs. Homebrew tolerated this for years, but supply chain attacks on package managers are no longer theoretical. Tap trust closes the gap by requiring explicit opt-in before loading third-party tap code — similar in spirit to npm’s --ignore-scripts.

The practical fallout: brew doctor now exits non-zero if any untrusted taps are present. The standard brew test-bot GitHub Actions workflow runs brew doctor first, so every third-party tap CI pipeline started failing when tap trust enforcement shipped on May 30. The GitHub issue tracking this CI breakage has confirmed the fix:


# Trust an entire tap (for regular use)
brew trust user/repo

# Install without trusting the whole tap (one-off)
brew install user/repo/formula

# Temporary CI workaround — add to your workflow env
# Warning: this env var will be removed in a future release
HOMEBREW_NO_REQUIRE_TAP_TRUST=1

For Brewfiles, add trusted: true to your tap entries. The workaround env var is explicitly temporary — Homebrew’s intent is to make trust mandatory. The right path is trusting your taps explicitly, not bypassing the check indefinitely.

Related: npm v12 Breaking Changes: What Breaks in July 2026

Intel Mac Users: September 2026 Is Your Hard Deadline

If you or your team are still running Intel Macs — or Intel-based CI runners — Homebrew 6.0 sets a firm clock. September 2026, roughly three months away, Intel x86_64 macOS moves to Tier 3: no CI support, no new pre-built bottles. You can still install formulae from source, but every install becomes a compile job. September 2027 is full removal. The concrete dates remove any ambiguity. If your CI runners are still Intel, that migration conversation needs to happen now, not in August.

Linux Gets Sandboxing and the Rust Rewrite Is Done

Two other changes deserve attention. First, Linux Homebrew now runs build, test, and postinstall phases inside a Bubblewrap sandbox — matching the isolation macOS has had for years. This matters for Linux CI environments: formula build scripts can no longer reach outside the sandbox during builds. It’s a meaningful security improvement for anyone using Homebrew on Ubuntu runners.

Second, the brew-rs Rust frontend experiment is officially done. Benchmarks showed Rust faster only for narrow, already-cached bottle fetches — not on representative full installs that include pouring bottles, linking files, writing metadata, and running health checks. The repo is archived. This is the right call, and a useful reminder that rewriting in Rust isn’t always the answer. Homebrew’s performance gains in 6.0 come from Ruby optimizations and earlier I/O start, not a language switch.

The Quality-of-Life Changes Worth Knowing

brew install now shows a dependency summary and asks for confirmation before proceeding — ask mode is the new default, driven by user survey feedback. It’s a sensible default for interactive use, but scripts that assumed silent installs will break. Set HOMEBREW_NO_ASK=1 to restore the old behavior in non-interactive environments. Meanwhile, brew bundle now runs formula installations in parallel by default, which meaningfully speeds up environment setup from a Brewfile. The new brew exec command functions like npx, letting you run executables from installed formulae without permanently adding them to your PATH.

Key Takeaways

  • Third-party tap maintainers need to update CI immediately — use HOMEBREW_NO_REQUIRE_TAP_TRUST=1 as a temporary workaround, then migrate to explicit brew trust
  • Intel Mac and CI runner users have until September 2026 before pre-built bottles stop; source installs still work, but plan your migration now
  • Linux Homebrew now has sandboxed builds, matching macOS security behavior — a real improvement for CI environments
  • Scripts using brew install need HOMEBREW_NO_ASK=1 to avoid unexpected interactive prompts
  • The Rust rewrite experiment ended — Homebrew stays in Ruby, with performance gains through smarter I/O and optimization
ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News