Merge f653c54441 into 9df4ea095f

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.0 to 2.14.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](20cf305ff2...e3f713f2d8)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/dependencies.yml

@@ -13,7 +13,7 @@ jobs:
       contents: write # this is needed to push commits and branches
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 

.github/workflows/installer.yml

@@ -26,7 +26,7 @@ jobs:
           - macos-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 
@@ -47,7 +47,7 @@ jobs:
       - test
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 

.github/workflows/main.yml

@@ -24,7 +24,7 @@ jobs:
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 

.github/workflows/project.yml

@@ -17,7 +17,7 @@ jobs:
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
       - name: Authenticate as @ohmyzsh

.github/workflows/scorecard.yml

@@ -36,7 +36,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 
@@ -60,6 +60,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11
+        uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
         with:
           sarif_file: results.sarif

plugins/brew/README.md

@@ -10,12 +10,17 @@ plugins=(... brew)
 
 ## Shellenv
 
-If `brew` is not found in the PATH, this plugin will attempt to find it in common locations, and execute
-`brew shellenv` to set the environment appropriately. This plugin will also export
-`HOMEBREW_PREFIX="$(brew --prefix)"` if not previously defined for convenience.
+This plugin evaluates Homebrew's shell environment on load to ensure `PATH`, `MANPATH`, `INFOPATH`, and other
+Homebrew variables are up to date:
 
-In case you installed `brew` in a non-common location, you can still set `BREW_LOCATION` variable pointing to
-the `brew` binary before sourcing `oh-my-zsh.sh` and it'll set up the environment.
+```zsh
+eval "$(brew shellenv)"
+```
+
+If `brew` is not already on `PATH`, the plugin will attempt to find it in common locations and run
+`brew shellenv` from there. You can also set a `BREW_LOCATION` variable pointing to the `brew` binary before
+loading Oh My Zsh to override detection. This plugin will also export `HOMEBREW_PREFIX="$(brew --prefix)"`
+if not previously defined for convenience.
 
 ## Aliases
 

plugins/brew/brew.plugin.zsh

@@ -1,4 +1,7 @@
-if (( ! $+commands[brew] )); then
+if (( $+commands[brew] )); then
+  # Brew is already on PATH; still evaluate shellenv to ensure env vars are current
+  eval "$(brew shellenv)"
+else
   if [[ -n "$BREW_LOCATION" ]]; then
     if [[ ! -x "$BREW_LOCATION" ]]; then
       echo "[oh-my-zsh] $BREW_LOCATION is not executable"
@@ -16,9 +19,7 @@ if (( ! $+commands[brew] )); then
     return
   fi
 
-  # Only add Homebrew installation to PATH, MANPATH, and INFOPATH if brew is
-  # not already on the path, to prevent duplicate entries. This aligns with
-  # the behavior of the brew installer.sh post-install steps.
+  # Evaluate Homebrew shell environment from discovered brew binary
   eval "$("$BREW_LOCATION" shellenv)"
   unset BREW_LOCATION
 fi