{"id":43980716,"url":"https://github.com/macadmins/carafe","last_synced_at":"2026-04-02T20:35:56.015Z","repository":{"id":327268051,"uuid":"1091935954","full_name":"macadmins/carafe","owner":"macadmins","description":"Carafe is a (fancy) wrapper for Homebrew","archived":false,"fork":false,"pushed_at":"2026-03-31T20:41:23.000Z","size":120,"stargazers_count":68,"open_issues_count":1,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-31T22:26:35.191Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/macadmins.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-07T18:34:11.000Z","updated_at":"2026-03-28T01:37:07.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/macadmins/carafe","commit_stats":null,"previous_names":["macadmins/carafe"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/macadmins/carafe","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcarafe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcarafe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcarafe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcarafe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/macadmins","download_url":"https://codeload.github.com/macadmins/carafe/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcarafe/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31315999,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-07T09:02:40.942Z","updated_at":"2026-04-02T20:35:56.007Z","avatar_url":"https://github.com/macadmins.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Carafe\n\nCarafe is a (fancy) wrapper for [Homebrew](https://brew.sh). It is designed to be run as root; it drops privileges to the currently logged-in user so it can be safely executed by management tools such as Munki or Jamf.\n\n## Example use cases\n\n- Bootstrapping engineering machines with a set of Homebrew formulae.\n- Enforcing minimum formulae versions to address security vulnerabilities, only for formulae that are already installed.\n- For a full example of using Carafe with Munki, see the [examples](https://github.com/macadmins/carafe/tree/main/examples) directory.\n\nIn addition to the basic Homebrew functionality, Carafe provides a few additional features:\n\n## Minimum version enforcement\n\nYou can specify a minimum version of a formula that should be installed. If the installed version is lower than the specified minimum version, Carafe will automatically upgrade it to the latest version.\n\n```bash\n/opt/macadmins/bin/carafe update \u003cformula\u003e --min-version=\u003cversion\u003e\n```\n\n## Check\n\nCarafe can check whether a formula is installed and whether it meets a minimum version. Use `--skip-not-installed` to ignore formulae that are not installed; this is useful when you only want to enforce minimum versions for installed formulae.\n\n```bash\n/opt/macadmins/bin/carafe check \u003cformula\u003e [--min-version=\u003cversion\u003e] [--skip-not-installed]\n```\n\n### Caching\n\nWhen running many `check` commands in quick succession (e.g. from multiple Munki `installcheck_script` entries), Carafe caches the output of `brew info --json --installed` on disk for 60 seconds by default. This means only the first `check` call invokes Homebrew; all subsequent calls within the TTL window are served from the cache, significantly reducing the time for a full Munki check run.\n\nThe cache is stored at `/var/root/.carafe/brew_info_cache_arm64.json` (Apple Silicon) or `/var/root/.carafe/brew_info_cache_x86_64.json` (Intel). The directory is created with mode `0700` so only root can read or write cache files, preventing symlink and injection attacks.\n\nTo disable caching:\n```bash\n/opt/macadmins/bin/carafe check \u003cformula\u003e --no-cache\n```\n\nTo use a custom cache TTL:\n```bash\n/opt/macadmins/bin/carafe check \u003cformula\u003e --cache-ttl=30s\n/opt/macadmins/bin/carafe check \u003cformula\u003e --cache-ttl=2m\n```\n\n### Munki-specific exit codes\n\nMunki expects an exit code of 0 to indicate that installation is required, and 1 to indicate that no action is needed when using `installcheck_script`. With `--munki-installcheck`, `carafe check` exits 0 if the formula is not installed or fails the `--min-version` check, and 1 if it is installed and meets the requirement.\n\n```bash\n/opt/macadmins/bin/carafe check \u003cformula\u003e [--min-version=\u003cversion\u003e] [--skip-not-installed] --munki-installcheck\n```\n\n## Other supported brew commands\n\nThese commands support the same options as the `brew` command. The commands are:\n\n- `cleanup`\n- `info`\n- `install`\n- `tap`\n- `uninstall`\n- `untap`\n- `upgrade`\n\n## Occasionally asked questions\n\n- **Does Carafe install Homebrew if it is not already installed?**: No, Carafe assumes that Homebrew is already installed on the system. We recommend using the [official package from Github](https://github.com/Homebrew/brew/releases).\n- **Does Carafe prevent the use of Homebrew outside of Carafe?**: No, Carafe does not restrict the use of Homebrew. If you need to prevent users from using Homebrew directly, or prevent the installation of unauthorized formulae, consider using tools like [Santa](https://github.com/northpolesec/santa).\n- **Will Carafe work in a shared deployment, such as an instructional lab?**: Carafe has not been tested in shared deployments, and it is possible there will be issues in those scenarios.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacadmins%2Fcarafe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmacadmins%2Fcarafe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacadmins%2Fcarafe/lists"}