---
id: TASK-006
title: Webhook-driven auto-publish to the Homebrew tap
status: "\U0001F3C1 Done"
assignee: []
created_date: '2026-06-18 05:53'
updated_date: '2026-06-18 06:33'
labels:
  - feature
dependencies: []
priority: medium
ordinal: 6000
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
When a semver tag is pushed to a brew-enabled repo, custard auto-publishes a new formula to the homebrew-tap — no manual brew-release.sh. Soft Serve fires a branch_tag_create webhook (signed) to a custard endpoint; custard archives the tag, writes the tarball to /dl, renders the formula, and commits it to the tap. Per-repo opt-in via a .custard.yaml file. Built in, works out-of-box for any custard deployer.
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [x] #1 Soft Serve branch_tag_create webhook (signed w/ secret) → custard endpoint POST /hooks/release
- [x] #2 Endpoint verifies the HMAC signature against a configured secret; rejects bad/unsigned
- [x] #3 Only semver tags (vX.Y.Z) trigger a release; non-semver/branch events ignored
- [x] #4 Per-repo opt-in: .custard.yaml at repo root (brew.enabled: true, optional package path); no file or disabled = skipped
- [x] #5 Release runs in custard (Go): archive tag → tarball to /dl → sha256 → render formula → commit to homebrew-tap bare repo
- [x] #6 Re-publishing same version overwrites cleanly; logged
- [x] #7 Docs: how to enable a repo + how to register the webhook (ssh soft repo webhook create)
<!-- AC:END -->