Homebrew tap
June 4, 2026 · View on GitHub
machine is distributed through the katspaugh/machine Homebrew tap. Users install with:
brew install katspaugh/machine/machine
The tap is a separate repo from this one. Formula/machine.rb here is the source of truth — copy it into the tap on every release.
One-time setup
Create the tap repo on GitHub. Homebrew expects the name to be homebrew-<tap>:
gh repo create katspaugh/homebrew-machine --public \
--description "Homebrew tap for machine"
git clone git@github.com:katspaugh/homebrew-machine.git
mkdir -p homebrew-machine/Formula
cp Formula/machine.rb homebrew-machine/Formula/
cd homebrew-machine && git add . && git commit -m "Initial formula" && git push
Cutting a release
- Make sure
CHANGELOG.mdhas the release notes under## [Unreleased](the script refuses to release an empty section). - Run the one-shot script:
scripts/release.sh 0.1.1
It runs lint + unit, promotes the Unreleased changelog section to the new
version, tags, computes sha256, bumps both formulas, pushes both repos, and
creates a GitHub Release whose notes are that changelog section. Requires a
clean working tree and gh auth status healthy.
Or by hand
- Tag this repo and push the tag:
git tag v0.X.0 && git push origin v0.X.0 - Compute the tarball SHA256:
curl -fsSL https://github.com/katspaugh/machine/archive/refs/tags/v0.X.0.tar.gz \ | shasum -a 256 - In
homebrew-machine/Formula/machine.rb, update:url→ the new tag's tarball URLsha256→ the digest from step 2
- Commit + push the tap. Users get the new version on
brew upgrade.
Why a tap (and not the curl|sh in the landing page)
A tap is the most-trusted install path on macOS:
- Auditable: the formula lives in a public repo; users can read it before installing.
- Pinned: each release ties to an immutable tagged tarball + SHA256. Drift between what was tested and what gets installed is impossible without a tap-repo commit.
- Reversible:
brew uninstallremoves the binary and the formula's tracked files cleanly. - No root: the formula installs under
$HOMEBREW_PREFIX, never/usr.
The curl https://runmachine.dev/install | sh path is kept as a fallback for users who prefer it, but the landing page should put brew install first.
Verifying provenance (optional, recommended)
For extra legitimacy, sign release tarballs with GitHub artifact attestations in CI. Users can then run:
gh attestation verify --owner katspaugh \
$(brew --cache)/downloads/*machine*.tar.gz
This proves the tarball was built by the katspaugh/machine GitHub Actions runner from a specific commit. Worth setting up before announcing the tap publicly.