From f42c478725764c12346c031628f093884ed2668e Mon Sep 17 00:00:00 2001
From: Siddharth <siddharthvaddem@yahoo.com>
Date: Sat, 9 May 2026 16:22:58 -0700
Subject: [PATCH] fix homebrew cask audit warnings

- Use #{version} interpolation in URLs so brew detects them as versioned
  (silences "Use sha256 :no_check when URL is unversioned").
- Drop blank line between on_arm and on_intel (same stanza group).
- Alphabetize zap trash array.
- Add verified: stanza for the GitHub release URL.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/update-homebrew-cask.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/update-homebrew-cask.yml b/.github/workflows/update-homebrew-cask.yml
index f75b39e..8beebff 100644
--- a/.github/workflows/update-homebrew-cask.yml
+++ b/.github/workflows/update-homebrew-cask.yml
@@ -112,18 +112,24 @@ jobs:
           mkdir -p tap/Casks
           BASE="https://github.com/${REPO}/releases/download/${TAG}"
 
+          # #{version} is Ruby interpolation written literally to the cask
+          # file (bash heredoc leaves "#{...}" alone). \${VERSION}, \${ARM_SHA},
+          # etc. are bash variables expanded by the heredoc. The literal
+          # #{version} fixes Homebrew's "URL is unversioned" audit warning by
+          # making the version string statically detectable.
           cat > "tap/Casks/${CASK_NAME}.rb" <<EOF
           cask "${CASK_NAME}" do
             version "${VERSION}"
 
             on_arm do
               sha256 "${ARM_SHA}"
-              url "${BASE}/${ARM_NAME}"
+              url "https://github.com/${REPO}/releases/download/v#{version}/${ARM_NAME}",
+                  verified: "github.com/${REPO}/"
             end
-
             on_intel do
               sha256 "${X64_SHA}"
-              url "${BASE}/${X64_NAME}"
+              url "https://github.com/${REPO}/releases/download/v#{version}/${X64_NAME}",
+                  verified: "github.com/${REPO}/"
             end
 
             name "Openscreen"
@@ -137,9 +143,9 @@ jobs:
 
             zap trash: [
               "~/Library/Application Support/Openscreen",
-              "~/Library/Preferences/com.siddharthvaddem.openscreen.plist",
-              "~/Library/Logs/Openscreen",
               "~/Library/Caches/com.siddharthvaddem.openscreen",
+              "~/Library/Logs/Openscreen",
+              "~/Library/Preferences/com.siddharthvaddem.openscreen.plist",
               "~/Library/Saved Application State/com.siddharthvaddem.openscreen.savedState",
             ]
           end