Skip to content

brew.sh: avoid here-string for sandbox compatibility #21175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MikeMcQuaid merged 1 commit into from
Dec 4, 2025
Merged

brew.sh: avoid here-string for sandbox compatibility #21175

MikeMcQuaid merged 1 commit into from
Dec 4, 2025

Conversation

@bendrucker
Copy link
Contributor

@bendrucker bendrucker commented Dec 4, 2025
edited
Loading

Following up on #21157, which made shellenv.sh sandbox-compatible by using lsof instead of ps, this change addresses another sandbox issue in brew.sh.

The here-string syntax triggers a warning:

/opt/homebrew/Library/Homebrew/brew.sh: line 60: cannot create temp file for here document: Operation not permitted

This occurs because here-strings (<<<) internally create temporary files, which many sandboxes restrict for security reasons.

Changes

Replaces the here-string version parsing with IFS-based word splitting:

# Before
IFS=. read -r -a MACOS_VERSION_ARRAY <<<"${HOMEBREW_MACOS_VERSION}"

# After
IFS=.
MACOS_VERSION_ARRAY=($HOMEBREW_MACOS_VERSION)
unset IFS

This produces identical results without requiring temp file creation.

Testing

Verified that brew shellenv runs without warnings when executed under sandbox-runtime and that version parsing continues to work correctly.

I used https://github.com/anthropic-experimental/sandbox-runtime below, which is what Claude Code uses internally for its sandboxing. It uses Seatbelt on macOS.

Before

srt brew shellenv
/opt/homebrew/Library/Homebrew/brew.sh: line 60: cannot create temp file for here document: Operation not permitted
export HOMEBREW_PREFIX="/opt/homebrew";
# ...

After

srt ./bin/brew shellenv
export HOMEBREW_PREFIX="/opt/homebrew";
# ...

References

Copilot AI review requested due to automatic review settings December 4, 2025 02:37
Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses sandbox compatibility issues in brew.sh by replacing a here-string syntax that creates temporary files (blocked by sandboxes) with IFS-based word splitting. This follows up on PR #21157's similar fix for shellenv.sh.

Key Changes:

  • Replaces IFS=. read -r -a MACOS_VERSION_ARRAY <<<"${HOMEBREW_MACOS_VERSION}" with explicit IFS manipulation and array assignment to avoid temp file creation on line 60

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@bendrucker bendrucker force-pushed the brew-sh-sandbox-friendly-version-parsing branch from 80f32d9 to ea43640 Compare December 4, 2025 02:49
MikeMcQuaid
MikeMcQuaid approved these changes Dec 4, 2025
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, thanks!

@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Dec 4, 2025
Merged via the queue into Homebrew:main with commit 0b75cf0 Dec 4, 2025
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bendrucker @MikeMcQuaid