plugins: homebrew: Add "brew audit" to allowlist

[MTCoster]

Overview

Allow the homebrew plugin to provide the token for the audit subcommand. Also re-sort the existing subcommands.

Type of change

• Created a new plugin
• Improved an existing plugin
• Fixed a bug in an existing plugin
• Improved contributor utilities or experience

How To Test

$ brew audit --online <cask>

Changelog

Allow the homebrew plugin to provide the token for the audit subcommand.

[github-actions]

⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).

If you're new to commit signing, there are different ways to set it up:

Sign commits with gpg

Follow the steps below to set up commit signing with gpg:

1. Generate a GPG key
2. Add the GPG key to your GitHub account
3. Configure git to use your GPG key for commit signing

Sign commits with ssh-agent

Follow the steps below to set up commit signing with ssh-agent:

1. Generate an SSH key and add it to ssh-agent
2. Add the SSH key to your GitHub account
3. Configure git to use your SSH key for commit signing

Sign commits with 1Password

You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process.

Learn how to use 1Password to sign your commits.

[edif2008]

Thank you for your contribution! 😄

I've left only one question that is related to backwards compatibility when it comes to adding authentication for the Shell plugin to new subcommands that didn't require it before.

[edif2008]

How will this affect current users that don't expect to be asked to authorize the Shell plugin for this subcommand?

Is this something that we want to accept from now on?

[SimonBarendse]

Just quickly checked brew audit usage and it does seem like there are use cases where you would not require authentication.

So I think we need to scope this down so that auth is only provided when it's required. For:

• Security: provide access least privilege only when needed.
• Productivity: only bother user with authorization prompt when needed.

I imagine a flag like --online or --tap may indicate there's a need for auth, but I'll defer to @MTCoster who has more context on the use cases for this command.

We can implement using needsauth.IfAll combined with the current needsauth.ForCommand and a new to be created in needsauth/helpers.go WhenContainsArgs (which can share most of its logic with existing NotWhenContainsArgs).

[scottisloud]

@MTCoster Just wanted to see if you were still interested in taking this PR forward. There are some minor changes and decisions that need to be made before finalizing things.

Happy to give this a review after the current changes are addressed!