Context
Following the resolution of #129 (PAT → GitHub App auth migration in craft), parallel migrations are in flight for 4 sibling plugins that already have APP_ID + APP_PRIVATE_KEY configured: aiterm, flow-cli, atlas, mcp-bridge.
Two plugins are deferred because they still rely on the expiring PAT and don't have App secrets configured yet:
| Repo |
Has APP_ID |
Has APP_PRIVATE_KEY |
Has HOMEBREW_TAP_GITHUB_TOKEN |
| Data-Wise/himalaya-mcp |
❌ |
❌ |
✅ (2026-02-15) |
| Data-Wise/nexus-cli |
❌ |
❌ |
✅ (2025-12-31) |
The nexus-cli PAT is from December 31, 2025 — over 4 months old and almost certainly already expired (or expires imminently). Recent releases of either plugin will likely fail with the same could not read Username for github.com error that hit craft on 2026-05-10.
Required setup (per repo)
The same GitHub App that craft uses can be reused — it's already installed on Data-Wise/homebrew-tap with Contents: write permission. Each downstream repo just needs the App's credentials as secrets.
For each of himalaya-mcp and nexus-cli:
# 1. Look up the App credentials (stored wherever you saved them when creating the App)
# APP_ID is a number like "1234567"
# APP_PRIVATE_KEY is the contents of the .pem file downloaded at App creation
# 2. Set the secrets
gh secret set APP_ID -R Data-Wise/<repo> --body "<app-id-number>"
gh secret set APP_PRIVATE_KEY -R Data-Wise/<repo> < /path/to/app-private-key.pem
# 3. Verify
gh secret list -R Data-Wise/<repo>
# Should show APP_ID and APP_PRIVATE_KEY
If the original .pem file was lost, generate a new private key from the App's settings page (Settings → Developer settings → GitHub Apps → [your app] → Generate a private key). The old key remains valid until explicitly revoked.
After secrets are set
Migrate each repo's .github/workflows/homebrew-release.yml using the same pattern as craft's c99e04de (already applied to aiterm/flow-cli/atlas/mcp-bridge in their respective PRs).
Mechanical change per repo (matches the craft commit minus the formula name):
- Replace the
update-homebrew job's workflow_call to Data-Wise/homebrew-tap/.github/workflows/update-formula.yml@main with an inline job that:
- Mints token via
actions/create-github-app-token@v1 (using APP_ID + APP_PRIVATE_KEY)
- Checks out
Data-Wise/homebrew-tap with the minted token
- Updates the right manifest entry (
formulas['<plugin-name>']) and runs python3 generator/generate.py <plugin-name>
- Commits and pushes
Reference: https://github.com/Data-Wise/craft/blob/main/.github/workflows/homebrew-release.yml
Why this is worth doing
- Both repos will hit the same auth failure at next release (PAT either expired or close to it)
- Manual fallback (local tap update) works but bypasses the validation pipeline
- Aligns the entire homebrew distribution with the durable App-based pattern
Context
Following the resolution of #129 (PAT → GitHub App auth migration in craft), parallel migrations are in flight for 4 sibling plugins that already have
APP_ID+APP_PRIVATE_KEYconfigured:aiterm,flow-cli,atlas,mcp-bridge.Two plugins are deferred because they still rely on the expiring PAT and don't have App secrets configured yet:
APP_IDAPP_PRIVATE_KEYHOMEBREW_TAP_GITHUB_TOKENThe
nexus-cliPAT is from December 31, 2025 — over 4 months old and almost certainly already expired (or expires imminently). Recent releases of either plugin will likely fail with the samecould not read Username for github.comerror that hit craft on 2026-05-10.Required setup (per repo)
The same GitHub App that craft uses can be reused — it's already installed on
Data-Wise/homebrew-tapwithContents: writepermission. Each downstream repo just needs the App's credentials as secrets.For each of
himalaya-mcpandnexus-cli:If the original
.pemfile was lost, generate a new private key from the App's settings page (Settings → Developer settings → GitHub Apps → [your app] → Generate a private key). The old key remains valid until explicitly revoked.After secrets are set
Migrate each repo's
.github/workflows/homebrew-release.ymlusing the same pattern as craft'sc99e04de(already applied to aiterm/flow-cli/atlas/mcp-bridge in their respective PRs).Mechanical change per repo (matches the craft commit minus the formula name):
update-homebrewjob'sworkflow_calltoData-Wise/homebrew-tap/.github/workflows/update-formula.yml@mainwith an inline job that:actions/create-github-app-token@v1(usingAPP_ID+APP_PRIVATE_KEY)Data-Wise/homebrew-tapwith the minted tokenformulas['<plugin-name>']) and runspython3 generator/generate.py <plugin-name>Reference: https://github.com/Data-Wise/craft/blob/main/.github/workflows/homebrew-release.yml
Why this is worth doing