brew install call gh attestation verify Disrespect XDG_CACHE_HOME

[EXHades]

brew doctor output

➜ brew doctor
Your system is ready to brew.

Verification

• My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update twice and am still able to reproduce my issue.
• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

HOMEBREW_VERSION: 4.3.17-72-g4362955
ORIGIN: https://github.com/Homebrew/brew.git
HEAD: 4362955bfcfceddde98b9ae12dc65a67aa25f42c
Last commit: 2 hours ago
Core tap JSON: 21 Aug 10:11 UTC
Core cask tap JSON: 21 Aug 10:13 UTC
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: nvim
HOMEBREW_MAKE_JOBS: 12
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.4 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4_1/bin/ruby
CPU: dodeca-core 64-bit kabylake
Clang: 15.0.0 build 1500
Git: 2.46.0 => /usr/local/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 14.6.1-x86_64
CLT: 15.3.0.0.1.1708646388
Xcode: 15.4

What were you trying to do (and why)?

I want to use XDG_CACHE_HOME change cache path , but brew install ignore XDG_CACHE_HOME, force create ~/.cache/gh/.sigstore/root

• the issue is not with gh XDG_CACHE_HOME doesn't work on sigstore cache path cli/cli#9492
• only when brew call gh attestation verify

What happened (include all command output)?

➜ ls ~/.cache
total 0

# change cache path
➜ export XDG_CACHE_HOME="${HOME}/Library/Caches"

# install git-cliff for demo
➜ brew install -v -d --force-bottle git-cliff
...
==> Verifying attestation for git-cliff
/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /usr/local/bin/gh attestation verify /Users/exhades/Library/Caches/Homebrew/downloads/7bf494d95b6ea269ed9a7aded75e5b755b22107e5da7318f095f3f87c5730655--git-cliff-2.4.0.sonoma.bottle.tar.gz --repo Homebrew/homebrew-core --format json
...


➜ ls ~/.cache
gh

➜ tree -a  ~/.cache/
~/.cache
└── gh
    └── .sigstore
        └── root
            ├── tuf-repo-cdn.sigstore.dev
            │   ├── root.json
            │   ├── snapshot.json
            │   ├── targets
            │   │   └── trusted_root.json
            │   ├── targets.json
            │   └── timestamp.json
            └── tuf-repo-cdn.sigstore.dev.json

• ~/.cache/gh/.sigstore should not be created

What did you expect to happen?

gh cache save to XDG_CACHE_HOME="${HOME}/Library/Caches" path

Step-by-step reproduction instructions (by running brew commands)

As above

[MikeMcQuaid]

We don't support XDG_CACHE_HOME in Homebrew on macOS, sorry.

[EXHades]

gh supports XDG_CACHE_HOME by default on macOS, this issue it's just that brew seems to force override the XDG_CACHE_HOME environment variable when calling gh?

[MikeMcQuaid]

@EXHades Homebrew doesn't pass through XDG_CACHE_HOME to its environment on macOS.

[0f-0b]

As a workaround, I made a wrapper script for gh (see below) and added it to PATH in order to force it to write caches to the caches directory.

#!/bin/sh

export PATH='/opt/homebrew/bin:/usr/bin:/bin'
export XDG_CACHE_HOME=~/Library/Caches
exec "$(basename "$0")" "$@"

I'm hoping for a future where Homebrew doesn't depend on gh for verifying attestations.